Managing users with Google Workspace SAML
Omni can be integrated with Google Workspace for user authentication via the SAML protocol.
Limitations
- User and user group provisioning via SCIM is not currently supported for Google Workplace
- User sessions expire after 24 hours, after which users will then need to reauthenticate
Requirements
To follow the steps in this guide, you'll need:
- Omni Organization Admin permissions
- Google Workspace Super Administrator permissions
1. Open the Omni authentication settings
In your Omni instance, navigate to Settings > Authentication and locate the SAML section.
Leave this page open - you'll need it to complete the setup.
2. Create an Omni Google Workspace app
- Log in to your Google Workspace Admin console.
- In the navigation bar, click Apps > Web and mobile apps.
- Click the Add app dropdown, then Add custom SAML app.
- Name the app
Omni Analytics
. You can also add a description and logo. - Click Continue.
- On the Google Identity Provider details page, copy the following information somewhere handy - you'll need it to complete the setup in Omni:
- SSO URL
- Entity ID
- Certificate - Note: You will need to download the certificate.
- Click Continue.
- In the Service Provider Details window, fill in the following:
- ACS URL - Copy and paste the Single sign-on URL value from the Omni Authentication settings
- Entity ID - Enter the full hostname of your Omni instance, e.g.
blobsrus.omniapp.co
. Do not includehttps://
. - Name ID format - Set to
Email
- Name ID - Set to
Basic Information > Primary email
- Click Continue.
- Click Add mappings and add the following mappings:
First name
tofirst_name
Last name
tolast_name
- Click Finish.
3. Configure Omni authentication settings
Navigate back to the Omni Authentication settings (Settings > Authentication) to complete the setup:
- Entity ID / Issuer - Copy and paste the Entity ID value from Google Workspace
- SSO (Sign on) URL - Copy and paste the SSO URL value from Google Workspace
- Certificate - Copy and paste the contents of the certificate you downloaded. The certificate must include
-----BEGIN CERTIFICATE-----
and-----END CERTIFICATE-----
values, for example:-----BEGIN CERTIFICATE-----
[certificate contents]
-----END CERTIFICATE----- - Enable SAML for users - Toggle this setting to on
When finished, click Save SAML changes.
4. Assign users & groups
In the Google Workspace Admin console, use the User access section in the Omni app to grant users access. Refer to Google's documentation for more information.
The email addresses your users use to sign in to Omni must match the email addresses they use to sign in to your Google domain.
5. Test the setup
Test your SAML setup by logging out of Omni. On the Omni login page, you should see a Log in with SAML button. Click the button to log in using SAML.