SAML SSO with Google

Log in to your Document360 account and select the project for which you wish to configure Google SAML Single Sign-On with your Google Workspace account. Next, log in to your Google Workspace account. If you don’t have a Google Workspace account, you can create one at https://workspace.google.com/. Once you have logged in to your Google workplace account, navigate to the admin console using the Admin button at the top right. Please note that only users with Owner or Admin as Project role can configure SSO in Document360.

PRO TIP

It is recommended to open Document360 and Google Workspace in two separate tabs/browser windows, since configuring SSO in Document360 will require you to switch between Okta and Document360 multiple times.


Adding a custom SAML app on Google

  1. On the admin console home page, click on the Apps option and select the SAML apps option.

  2. Click on Add app and in the dropdown, select Add custom SAML app.

  3. In the App details, enter any name for your app and click on Continue.

  4. Next, you will find the SSO URL, Entity ID details, and the Certificate.

  5. Make a note of these details, since you will need them while accessing the Configure the Identity Provider (IdP) page on Document360.

  6. In the Certificate section, click on the Download icon to save the certificate (.pem format) in your computer's local storage.

  7. You will have to upload this certificate later in the Configure the Identity Provider (IdP) page in Document360.

41_Screenshot-Google-user-access-service-status

  1. In User access, the Service status will by default be OFF for everyone.  You must manually change it to ON for everyone to work.

42_Screenshot-Google-user-access-changing-service-status

After configuring it on the Google side, here's how your SAML app would look.

44-Screenshot_Replace_file_Google_SSO_SAML


Service Provider configuration

To configure Single Sign-On (SSO), you need Service Provider (SP) details such as ACS URL and entity ID. These details will be available in the Create SSO window on Document360. To navigate to the Create SSO window,

  1. Go to Settings > Users & Security > SAML/OpenID.

  2. Click the Create SSO button.

  1. In the Choose your Identity Provider (IdP) page, select Google as the identity provider.

  1. Next, from the Configure the Service Provider (SP) page, copy the following parameters.

Google custom SAML app

Document360 SSO SAML settings

ACS URL

Callback path

Entity ID

Service provider entity Id

Start URL (optional)

  1. Switch to the Google workspace tab and paste the parameters onto the Google custom SAML app page.

  2. In Name ID format select EMAIL from the dropdown

  3. In Name ID select Basic Information > Primary email

  4. Click on the Continue button

Attributes

Add and select user fields in Google Directory, then map them to service provider attributes. Add the following attributes.

Google Directory attributes

App attributes

Primary email

name

Primary email

email

Primary email

urn:oasis:names:tc:SAML:2.0:nameid

Click on the Add Mapping button each time you add an attribute, and when you're done, click on the Finish button.


Identity Provider configuration

  1. Switch back to the Document360 window, to the Configure the Service Provider (SP) page, and click Next to navigate to the Configure the Identity Provider (IdP) page.

  2. In the Configure the Identity Provider (IdP) page, add the information you had noted down earlier from the Google custom SAML app page.

Document360 SSO settings

Info from Google custom SAML app

Sign on URL

SSO URL

Entity id

Entity ID

Sign Out URL (Optional)

NA

SAML Certificate

Certificate (Upload the recent .pem file you downloaded from Google)

  1. Next, turn on/off the Allow IdP initiated sign in toggle as per your project requirements.

  1. Once done, click the Next button to navigate to the More settings page.

  2. In the More settings page, enter the desired name for the SSO configuration in the SSO name field.

  3. Enter the text you would like to show users for the login button in the Customize login button text.

  4. Toggle on/off the Auto assign reader group and Sign out idle SSO team account toggles based on your requirements.

  5. Invite all your users or selected users using the Convert existing team and reader accounts to SSO radio buttons.

  6. Click Create to complete the SSO configuration setup.

The SSO configuration based on the SAML protocol will be configured using Okta successfully.