This article explains how to configure a custom SAML application in Google, so your users can authenticate into Buzz with their Google credentials.
This process requires working in both Google and Buzz, so
- Your institution must have a G Suite account.
- For a Buzz user to authenticate using Google SSO, their Buzz username must match their G Suite email address.
Many of the following steps are modified from the provided Google directions found at Set up your own custom SAML application. If any of them are out of date, you may refer to the Google article.
1. In Google: Set up your own custom SAML app for Buzz
- Open the Add app dropdown, and select Add custom SAML app.
- Enter the App name (Buzz), Description (optional), and upload an App icon (optional).
- Download the IDP metadata. You will use this when configuring Buzz.
- In the Service Provider Details window, add an ACS URL, an Entity ID, and a Start URL. Use the following URLS (this information can also be found at (https://api.agilixbuzz.com/SAML/USERSPACE/metadata.xml):
- ACS (AssertionConsumerService) URL: https://api.agilixbuzz.com/SAML/USERSPACE/Consumer
- Entity ID: https://api.agilixbuzz.com/SAML/USERSPACE
- Start URL: https://USERSPACE.agilixbuzz.com/home
- Replace “USERSPACE” with your domain’s userspace wherever it appears.
- If you have a custom URL for Buzz, then your Start URL would be https://USERSPACE.CUSTOM_URL.com/home, replacing CUSTOM_URL with your custom URL.
- Leave Signed response unchecked.
- If you want to attach additional information to app (e.g., names, email, titles, etc):
- Click Add mapping.
- Open the Google directory attributes dropdown, and select the desired attribute for everything you want to add.
- Provide the information in the App attributes fields.
- Click Finish.
You can define a maximum of 1500 attributes over all apps. Because each app has one default attribute, the total amount includes the default attribute plus any custom attributes you add. In the Basic Application Information window, add an application name (e.g., Buzz) and description.
Local-only email Name ID support
Buzz's SAML SSO supports email address Name ID when the Buzz username is used as the local-part of the associated email address (everything before the @).
For example, if a SAML authentication request comes through with a Name ID format of an email address (nameid-format:emailAddress), then Buzz:
- Looks for the user with the full email address as a Buzz username (e.g., email@example.com). If the user is found, they are allowed to access Buzz.
- If Buzz is unable to find the user by the full email address, then Buzz searches for a user with the local-part (everything before the @) of the email address (e.g., john.student). If a user is found with the local-part, the user is allowed to access Buzz.
- If no user is found by the full email address nor the local-part, then Buzz will tell the user that no matching user can be found.
To take advantage of this feature with Google SSO authentication, you may need to update your Service provider details in the Google SAML app settings to use the EMAIL as the Name ID.
2. In Google: Turn on SSO to your new SAML app
- Click on the SAML app you configured above.
- Click the User access card.
- At the left, the top-level organization and any organizational units appear. Ensure that your user account email IDs match those in the domain for your Google service (e.g., firstname.lastname@example.org).
- Select ON for everyone to enable SSO for the listed organizations.
Once enabled, some users will be able to attempt to authenticate into Buzz with their Google credentials. However, they will not successfully be able to do so until you have configured Buzz to use the Google SSO in the following section.
3. In Buzz: Configure Buzz to use the new Google SSO
- Go to the Admin app in Buzz for the USERSPACE you configured in Google.
- Open the vertical menu in the toolbar of Domain Details and select Domain Settings.
- On the Authentication card, select SAML as your authentication Type. Do not choose the "old version" of SAML.
- Click Add identity provider (IdP).
- Provide the Login prompt. This is what appears on the login button. If you have only one IdP, this defaults to Login, if you have more, you can label them appropriately.
- Upload the idp-meta XML file that you downloaded from Google.
- The Metadata resource path and Provider ID are automatically populated.
- Click Done.
- Provide a Logout redirect URL if you want users to be taken to somewhere other than the Buzz login screen when they sign out.
- Indicate if you want to Prevent users from using Buzz credentials.
- If you don't select this, you have the option to Allow users to create their own accounts rather than requiring they be created for them. You will also be able to set up your password policy.
4. Verify SSO between your Google service and Buzz
- Go to your Buzz login page.
- Click Login to launch the Google SSO.
- Enter your G Suite credentials.
- After your G Suite credentials are authenticated you will be automatically redirected back to your Buzz home page.