Administrator

How do I set up Google SSO for my domain?

Follow
Ryan Richins
  • Agilix team member
  • Updated:
    info_outline
    Created:

This article explains how to configure a custom SAML application in Google so that your users can authenticate into Buzz with their Google credentials.

Many of the following steps are modified from the provided Google directions found at Set up your own custom SAML application. If any of them are out of date, you may refer to the Google article.

Requirements:

  • Your institution must have a G Suite account.
  • For a Buzz user to authenticate using Google SSO, their Buzz username must match their G Suite email address.

Set up your own custom SAML app for Buzz

  1. Sign in to your Google Admin console.
  2. From the Admin console Home page, go to Apps > SAML Apps.
  1. Click the plus (+) icon in the bottom corner.
  1. Click Setup my own custom app.
  1. Download the IDP metadata. This will be used later for configuring Buzz.
  1. Click Next.
  2. In the Basic Application Information window, add an application name (e.g., Buzz) and description.
  3. (Optional) Click Choose file next to the Upload Logo field to upload a PNG or GIF file to serve as an icon. The file size should be 256 pixels square.
  1. Click Next.
  2. In the Service Provider Details window, add an ACS URL, an Entity ID, and a Start URL. The ACS URL, the Entity ID and other information can be found at https://api.agilixbuzz.com/SAML/USERSPACE/metadata.xml, but can be found below for easier configuration.
    1. ACS (AssertionConsumerService) URL: https://api.agilixbuzz.com/SAML/USERSPACE/Consumer
    2. Entity ID: https://api.agilixbuzz.com/SAML/USERSPACE
    3. Start URL: https://USERSPACE.agilixbuzz.com/home

Note

  • Replace “USERSPACE” with your domain’s userspace wherever it appears.
  • If you have a custom URL for Buzz, then your Start URL would be https://USERSPACE.CUSTOM_URL.com/home, replacing “CUSTOM_URL” with your custom URL.
  1. Leave Signed Response unchecked.
  2. Click Next.
  3. Click Finish.

Turn on SSO to your new SAML app

  1. Sign in to your Google Admin console.
  2. From the Admin console Home page, go to Apps > SAML Apps.
  3. Click your new SAML app.
  1. At the top right of the gray box, click Edit Service.
  1. At the left, the top-level organization and any organizational units appear. Ensure that your user account email IDs match those in the domain for your Google service.
  2. Select ON for everyone to enable SSO for the listed organizations.
  1. Click Save.

Note

Once enabled, some users will be able to attempt to authenticated into Buzz with their Google credentials. However, they will not successfully be able to do so until you have configured Buzz to use the Google SSO in the following section.

Configure Buzz to use the new Google SSO

  1. Go to the Admin app in Buzz for the USERSPACE you configured in Google.
  2. Open the vertical menu in the toolbar of Domain Details and select Domain Settings.
  1. On the Authentication card, select SAML as your authentication Type.
  1. Locate the previously downloaded IPD metadata file (see step 5 of the Set up your own custom SAML app for Buzz section).
  2. Rename the file to idp-meta.xml.
  3. Click the upload icon for the idp-meta.xml field.
  1. Click Choose File, locate and select the “idp-meta.xml” file provided from Google, which you renamed in step 6 and click Open.
  2. Click Upload.
  3. Select the Open login in a new window checkbox.
  4. Save.

Note

This option is required as Google does not allow their sign-on screen to be displayed within another website.

Verify SSO between your Google service and Buzz

  1. Go to your Buzz login page.
  2. Click Login to launch the Google SSO.
  1. Enter your G Suite credentials.
  2. After your G Suite credentials are authenticated you will be automatically redirected back to your Buzz home page.

Comments (4)

Sort by
Shaun Creighton

I think I have set this up successfully on a test domain. Our Buzz usernames were set up as something else besides e-mail addresses, but I set up a custom schema in our Google accounts and populated it with the Buzz username for all accounts, then linked the Name ID to that field when setting up the custom SAML app, and that seemed to work fine.

My question is: is it possible to set up SSO on one Buzz domain but have it work for users whose accounts are under another Buzz domain? I tried populating that custom field with userspace/username (which works when logging in to Buzz normally) or //userspace//username (which is specified on your Entity ID documentation) to see if that would work, but neither seems to work correctly. I get the error below, and the "data" portion of the error lists my username without the userspace, even though both have been entered in my custom Google field. When setting up the ACS URL and Entity ID, I used the userspace where I'm trying to log on (and where Google SSO is turned on), NOT the userspace where the account resides.

Is something like this even a possibility?

0 Comment actions Permalink
Brad Marshall
  • Agilix team member

You can configure a domain to use another domain's SSO, but I am not sure if it is what you are looking for.

See How do I enable Single Sign-On (SSO) in Buzz? and look at the Domain option.

0 Comment actions Permalink
Shaun Creighton

Thanks, Brad. That actually did work, but I'm not sure that's exactly what we're looking for, either. Let me give you some more info and maybe you can guide me in the right direction.

We will have Buzz student accounts placed in the userspace that matches their "home school." Some of these students may also be enrolled in courses at another site (e.g., our online academy) which uses another userspace.

I'm wondering whether it's possible to have Google SSO work no matter which userspace URL students used to log in to their account.

I know that technically there's no need to let students log in at multiple userspaces, and that they can access all of their enrollments (no matter which userspace houses the enrollment) by logging on to their "main" userspace. But for branding purposes, or to allow access to different domain features, I'm wondering if it's possible to do this.

Having all of our school userspaces use the SSO configuration of a main "district" domain like you propose would work technically, but it seems like that would require all of our students (and teachers?) to have their user accounts in the same domain no matter what school they attend, which seems like it would affect school reporting, user management, etc.

I hope this makes sense ... if not, feel free to ask follow up questions. :) Thanks!

0 Comment actions Permalink
Brad Marshall
  • Agilix team member

"I'm wondering whether it's possible to have Google SSO work no matter which userspace URL students used to log in to their account."

SSO for a domain can only be tied to users from a specific domain. You cannot configure a single domain (e.g., online academy) to allow users from various domains to log in. 

"Having all of our school userspaces use the SSO configuration of a main "district" domain like you propose would work technically, but it seems like that would require all of our students (and teachers?) to have their user accounts in the same domain no matter what school they attend"

That is correct.

0 Comment actions Permalink
Please sign in to leave a comment.