Home
User Guides
Start typing to search…
  1. Manage Observe
  2. Manage users and access
  3. Configure single sign-on

Configure Google Workspace for SAML and SSO

With SAML support, Observe supports using Google Workspace as an Identity Provider (IdP). Use the following instructions to configure Google Workspace parameters.

📘

Note

Use of stem names instead of Observe Customer IDs is possible, but you cannot configure Google Workspace to support both at the same time without introducing instability.

Configure Google Workspace for SAML and SSO

  1. Log into the Google Workspace Admin portal, admin.google.com, as a super administrator.

  2. Navigate to Apps > Web and mobile apps, admin.google.com/ac/apps/unified.

  3. Select Add App > Add custom SAML app.

  4. Enter Observe as the App name.

  5. Download the Observe icon from https://s3-us-west-2.amazonaws.com/observeinc.com/assets/saml-icon.png, and use it as the App icon.

📘

Note

You can't add or change the App icon after you configure SAML SSO.

  1. Choose Continue.
  2. On the Google Identity Provider details page, click Continue.
  3. Enter the following Service Provider Details. Replace ${OBSERVE_CUSTOMER_ID} with your Observe tenant ID, and ${REGION_URL} with the appropriate URL for your deployment region. See Observe deployment regions:

  • ACS URL - https://${OBSERVE_CUSTOMER_ID}.${REGION_URL}/auth/saml2/callback

  • Entity ID - https://${OBSERVE_CUSTOMER_ID}.${REGION_URL}/auth/saml2/callback

  • Start URL - https://${OBSERVE_CUSTOMER_ID}.${REGION_URL}/

  • Signed Response - check

  • Name ID format - EMAIL

  • Name ID - Basic Information > Primary email

  1. Click Continue.

Attribute mapping

To map attributes, click Add Mapping and use the following Google Directory attributes and App attributes:

Google Directory attributeApp attributes
First namefirstName
Last namelastName
Primary emailemail

Group Membership Attributes

Observe supports the sending of group membership claims via SAML. The field mapping for Group Names support is as follows. Note that each Google group that you send to Observe should have at least 1 member.

Google Directory attributeApp attributes
Google groupsgroups

Click Finish, and review the Observe app page. By default, no users have access to the app. You must assign Users and/or Groups to the app.

Configure Observe for Google Workspace SSO

Perform the following steps to configure Observe for Microsoft Entra ID SSO:

  1. In the left navigation rail, hover on your user name, then select Manage account.
  2. Click Customer settings.
  3. Click Add SAML.

  1. Copy the SSO URL from Google and paste it into the Entry Point field in Observe. The SSO URL has the format https://accounts.google.com/o/saml2/idp?idpid=ACCT_ID.

  2. Copy the certificate in Google and paste it into Observe's Cert field.

  3. Click Add SAML Provider.

Test the SAML login from Google

  1. Return to the Observe app configuration page on Google.
  2. Click X to close the SAML Certificates panel.
  3. Click Test SAML Login. If you added yourself as a user, then you log into Observe. If you did not add yourself as a user, the login successfully fails.

Now, when you return to the Observe Welcome page at https://${OBSERVE_CUSTOMER_ID}.${REGION_URL}/, a new button, Continue with SSO, appears on the page.

📘

Note

It can take a significant amount of time for Google to apply the configuration changes. Please allow up to 24 hours for change propagation to complete.

Updated 8 days ago