Google Workspace SAML and Single Sign On (SSO) Configuration

With SAML support, Observe supports using Google Workspace as an Identity Provider (IdP). Use the following instructions to configure Google Workspace parameters.

Configuring Google Workspace for SAML and SSO

  1. Log into the Google Workspace Admin portal, admin.google.com, as a super administrator.

Google App Admin page

Figure 1 - Google Workspace App page

2. Navigate to Apps > Web and mobile apps, admin.google.com/ac/apps/unified.

3. Select Add App > Add custom SAML app.

4. Enter Observe as the App name.

5. Download the Observe icon from https://s3-us-west-2.amazonaws.com/observeinc.com/assets/saml-icon.png, and use it as the App icon.

Note

You cannot add or change the App icon after you configure SAML SSO.
Google App Admin details

Figure 2 - Google Workspace App Details

6. Choose Continue.

7. On the Google Identity Provider details page, click Continue.

8. Enter the following Service Provider Details:

  • ACS URL - https://${CUSTOMER_ID}.observeinc.com/auth/saml2/callback

  • Entity ID - https://${CUSTOMER_ID}.observeinc.com/auth/saml2/callback

  • Start URL - https://${CUSTOMER_ID}.observeinc.com/

  • Signed Response - check

  • Name ID format - EMAIL

  • Name ID - Basic Information > Primary email

Service provider details

Figure 3 - Service Provider Details

9. Click Continue.

10. To map attributes, click Add Mapping and use the following Google Directory attributes and App attributes:

Google Directory attribute

App attributes

First name

firstName

Last name

lastName

Primary email

email
Google SAML Mapping details

Figure 4 - Google SAML Mapping Details

11. Click Finish, and review the Observe app page. By default, no users have access to the app.

Observe App Details

Figure 5 - Observe App Details

12. Click User access, and add users to the Observe app.

13. On the Service provider details card, select Manage Certificates.

NOTE THE CERTIFICATE EXPIRATION DATE! If this is the first SAML app you’ve configured for Google Workspace, then Google provides you with a new certificate, valid for five years from today. If you have previously configured other SAML apps, the certificate may be an older one. Observe does not currently warn when the certificate expires. When this certificate expires, your SAML integration does not function. To allow the maximum time before expiration, choose ADD CERTIFICATE if the certificate expires in under three years.

Configuring Observe for Google Workspace SSO

  1. Log into Observe using the URL, https://${CUSTOMER_ID}.observeinc.com/settings/customer.

  2. Copy the SSO URL from Google and paste it into the Entry Point field in Observe. The SSO URL has the format https://accounts.google.com/o/saml2/idp?idpid=ACCT_ID.

  3. Copy the certificate in Google and paste it into Observe’s Cert field.

Observe SAML Certificate Details

Figure 6 - SAML Certificates

Observe SAML configuration

Figure 7 - Observe SAML Details

  1. Click Add SAML Provider. The settings appear in the Customer Auth Details.

Testing the SAML Login from Google

  1. Return to the Observe app configuration page on Google.

  2. Click X to close the SAML Certificates panel.

  3. Click Test SAML Login. If you added yourself as a user, then you log into Observe. If you did not add yourself as a user, the login successfully fails.

Now, when you return to the Observe Welcome page at https://${CUSTOMER_ID}.observeinc.com/, a new button, Continue with SSO, appears on the page.

Observe Login with Google SSO

Figure 8 - Observe Login with Google SSO

Note

It can take a significant amount of time for Google to apply the configuration changes. Please allow up to 24 hrs for change propagation to complete.