Skip to main content
Skip table of contents

SAML SSO with Google Workspace

Please Note: TASS Support cannot set this up for you. Your IT environment requirements are separate to TASS Product Support. These guides are designed to assist your qualified IT team or consultants with these set ups.

This guide is intended for IT administrators who want to configure SAML SSO with TASS using Google Workspace (formerly G Suite or Google Apps for Education).

Please Note: SAML needs to be configured individually for each product or portal in each company. For example, if you want to enable SAML SSO for both TASS.web and Staff Kiosk, you would need to follow these steps for each of those so that they are registered independently with your identity provider. 

Requirements

  • Google Workspaces licensing for the users that will sign in using SAML SSO. 

  • An account with admin rights to Google Workspace.

Setup Instructions

  1. Go to the Google Workspaces Admin portal (https://admin.google.com) and sign in with your Google admin credentials. 

  2. Click on Apps, then click Web and Mobile Apps.

  3. Click on Add App, then click Add Custom SAML App.

  4. On the App Details page:

    1. Enter a name for the TASS application. This will be shown to users if they browse the Apps list, so make sure the name is friendly.

    2. Optionally upload an icon. 

    3. Click Continue. 

  5. On the Google Identity Provider Details page, download the IDP metadata. 

  6. Open the IDP metadata in a text editor (eg Notepad), and copy the entire contents of the file. 

  7. Keep your Google Workspaces Admin session open, but in another browser window or tab, log in to TASS.web. 

  8. Switch into the relevant company (if you haven't already), then go to TASS.web program System Admin > Users > LDAP/SAML Maintenance

  9. Next to the product you are configuring, click View.

  10. Click on the SAML tab, then click Edit SAML. 

  11. In the IDP Metadata XML field, paste in the contents of the IDP Metadata file that was copied earlier. 

  12. Click on Extract IDP Certificate.

  13. Click on Generate SP Metadata XML.

  14. Click on Save. 

  15. Return the Google Workspace Admin browser tab, and click Continue.

  16. In the Service Provider Detail Page, enter the following details:
    ACS URL: Copy and paste the SP Endpoint from the TASS SAML setup tab.
    Entity ID: Copy and paste the SP Entity ID from the TASS SAML setup tab.
    Leave the Signed Response box unticked.
    Name ID: the field here should return a value that matches what is entered in as the LDAP/SAML username for each user (eg student, employee) in TASS. The most common option is email address. 

    Have you set up your mappings yet?

    If you are unfamiliar with mappings or how to set these up, please review the LDAP/SAML Maintenance article before proceeding further. 

  17. Click Continue.

  18. On the Attribute Mapping page, no further action is required. so click Finish. 

  19. Back on the Web and Mobile Apps page, select the TASS app that was just created, and click User Access.

  20. Either select On for Everyone, or manually specify organisation units that can have access. Note that access granted here only determine which users Google will attempt to authenticate and hand over. TASS makes the final determination about whether the user can log in, and what they have access to. 

  21. Return to the TASS.web browser tab.

  22. Click Edit SAML.

  23. Set Enabled to Yes, then click Save.

  24. Open a private browsing session to test that your SAML SSO works as expected. If it does not, your existing session will be preserved, and you can reconfigure or disable as required. 

TASS Support Access

Once SAML is enabled, TASS requires an account to use to provide remote support and services. This account should be:

  • Enabled for use with your identity provider (ensure that it exists in the users directory).

  • Mapped to the TASS applications registered with your identity provider (see Step 20). 

  • Mapped to the TASS.web root user (see LDAP/SAML Maintenance for guidance on configuring mappings, and ensure that the username format matches what was defined in Step 16).  

  • Details stored by TASS to use for provided support and services as required. 

If MFA is enabled, this can only use the TOTP method. Other methods, such as mobile apps and SMS messages, are not supported. 

Further Information

See this Google support article for further guidance: Set up your own custom SAML application - Google Workspace Admin Help


JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close