¶ Introduction
This document describes how to configure Google to support SAML SSO with the Wyebot cloud dashboard. These instructions were written using the Google Admin Console in June 2022.
The Wyebot cloud dashboard supports IdP-initiated SAML SSO. This means the browser session starts at the IdP where the user logs in - not at the Wyebot cloud dashboard. After a successful authentication, the user’s browser session is redirected to the Wyebot dashboard where the session is validated and the user is granted access. The main benefit of SAML SSO is that user credentials are only stored locally in an organization’s infrastructure.
All SAML users are treated as Administrators on the Wyebot dashboard. Limited users are currently not supported for SAML authentication.
On the Wyebot dashboard, user types of Admin and Limited are considered Local users. Password information for these users is stored locally in the Wyebot cloud database. SAML users are Non-Local users and no password information is stored locally for them.
You must always have at least one Local user configured on the dashboard. If your organization wishes to exclusively use SAML users, simply keep one Local user account configured on the dashboard. A Local user can have the same username as a SAML user.
¶ Terms Used in This Document
SAML - Security Assertion Markup Language is a standardized method of authenticating and redirecting browser sessions.
SSO - Single Sign-On allows a user to log into one site and reuse credentials across multiple other sites.
Identity Provider (IdP) - The device or provider that performs the authentication. In this example, the authentication is done by Active Directory.
Service Provider (SP) - The service that a user wishes to use. In this example, the SP is the Wyebot cloud dashboard.
SAML User - The user that is attempting to authenticate and access the SP. The user’s credentials are not stored on the SP, only on the IdP.
Consumer URL - The URL an IdP forwards a SAML request to following a successful authentication.
¶ Overview of Steps
The following steps must be completed to allow SAML SSO with the Wyebot dashboard:
- Add a custom SAML app on the Google Admin Console
- Enable SAML support on the Wyebot dashboard and configure IdP information.
¶ Add Custom SAML App on the Google Admin Console
This step requires a Google account with Administrative privileges.
Log into the Admin Console at https://admin.google.com. From the Apps entry in the left-hand menu, select Web and Mobile Apps.
From the top menu, select Add custom SAML app.
Enter a name to identify this app to users. We’ll use wyebot-cloud in this example. You can optionally add an icon. Click Continue.
On the Google Identity Provider Details page, copy the SHA-256 fingerprint field and paste it into a text file. This fingerprint will be required later when configuring the IdP Profile on the Wyebot Dashboard. Click Continue.
You will now need to create an IdP profile on the Wyebot dashboard in order to get the dynamic Consumer URL used in the next step of configuring the Google App.
¶ Configure SAML Support on the Wyebot Dashboard
In a separate browser tab, login to your Wyebot Dashboard and navigate to the Management → Users tab. Select the Enable radio button next to SAML Authentication. Click Add IdP. In the new window provide the following information:
IdP Name: a name to identify this IdP
SHA Fingerprint: the 32-byte fingerprint from the IdP certificate (saved from the previous section)
Logout URL: this field is optional and can be used to redirect the user’s browser after logging out of the Wyebot dashboard.
Consumer URL: dynamic URL that is generated after creating the IdP profile
After creating the IdP profile, copy the Consumer URL that was generated. This will be required to complete the Google configuration in the next step.
¶ Complete Google App Configuration
Go back to the Google Admin browser tab. On the Service provider details page, paste the Consumer URL copied from the previous step into the ACS URL field.
Set the Entity ID to https://cloud.wyebot.com
Click Continue.
The Attribute Mapping page allows you to specify which attributes will be sent to the Wyebot dashboard when a user successfully authenticates.
If these attributes are not entered exactly as shown, the user will not be allowed access to the Wyebot dashboard.
Once entered, click Finish.
| Google Directory Attributes | App Attributes |
|---|---|
| First name | wyebot-firstname |
| Last name | wyebot-lastname |
| Primary email | wyebot-username |
The custom SAML app has now been configured on your Google Admin Console. Access to the Wyebot dashboard should be restricted to whichever groups in your organization you want to have access.
¶ Final Steps
It may take up to 24 hours for the custom SAML app to be enabled for your Google dashboard. This is a Google limitation.
Google provides a Test SAML Login button from the Admin Console. If you get a Google error when clicking on this, then the application has not yet been enabled.
¶ How to Access Wyebot Dashboard, once everything has been configured properly
Once the application is fully enabled and working, it will show up as an option from the Google Apps menu of any Google page.
Alternatively, you may also access the app from the following URL:
https://workspace.google.com/dashboard