Managing users with Google Workspace SAML

Omni can be integrated with Google Workspace for user authentication via the SAML protocol.

Limitations

• User and user group provisioning via SCIM is not currently supported for Google Workplace
• User sessions expire after 24 hours, after which users will then need to reauthenticate

Requirements

To follow the steps in this guide, you'll need:

• Omni Organization Admin permissions
• Google Workspace Super Administrator permissions

1. Open the Omni authentication settings

In your Omni instance, navigate to Settings > Authentication and locate the SAML section.

Leave this page open - you'll need it to complete the setup.

2. Create an Omni Google Workspace app

1. Log in to your Google Workspace Admin console.
2. In the navigation bar, click Apps > Web and mobile apps.
3. Click the Add app dropdown, then Add custom SAML app.
4. Name the app Omni Analytics. You can also add a description and logo.
5. Click Continue.
6. On the Google Identity Provider details page, copy the following information somewhere handy - you'll need it to complete the setup in Omni:
   • SSO URL
   • Entity ID
   • Certificate - Note: You will need to download the certificate.
7. Click Continue.
8. In the Service Provider Details window, fill in the following:
   • ACS URL - Copy and paste the Single sign-on URL value from the Omni Authentication settings
   • Entity ID - Enter the full hostname of your Omni instance, e.g. blobsrus.omniapp.co. Do not include https://.
   • Name ID format - Set to Email
   • Name ID - Set to Basic Information > Primary email
9. Click Continue.
10. Click Add mappings and add the following mappings:
    • First name to first_name
    • Last name to last_name
11. Click Finish.

3. Configure Omni authentication settings

Navigate back to the Omni Authentication settings (Settings > Authentication) to complete the setup:

• Entity ID / Issuer - Copy and paste the Entity ID value from Google Workspace
• SSO (Sign on) URL - Copy and paste the SSO URL value from Google Workspace
• Certificate - Copy and paste the contents of the certificate you downloaded. The certificate must include -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- values, for example:

  -----BEGIN CERTIFICATE-----
  [certificate contents]
  -----END CERTIFICATE-----

• Enable SAML for users - Toggle this setting to on

When finished, click Save SAML changes.

4. Assign users & groups

In the Google Workspace Admin console, use the User access section in the Omni app to grant users access. Refer to Google's documentation for more information.

tip

The email addresses your users use to sign in to Omni must match the email addresses they use to sign in to your Google domain.

5. Test the setup

Test your SAML setup by logging out of Omni. On the Omni login page, you should see a Log in with SAML button. Click the button to log in using SAML.