Supported Features
- Identity Provider Initiated Login
- Just in time user provisioning
Configuration Steps
- Sign in to Tiled as an Account Admin
- Navigate to Account Settings.
- Under General Settings, scroll down to the Auto Provisioning
- Select a required Default Role and Default Group for new users
- NOTE: Users who are Just in time Provisioned into the Tiled account will receive the role and group specified in this step.
- Check the Enable Auto Provisioning box:
- Scroll down to the Saml Settings section.
- Input and org domain
- NOTE: The value that is input into this field will be used to generate our service provider metadata link as well as our service provider erentityID.
- Click Update Settings
- To build your Identity Provider Metadata XML use the above org domain and insert it into the below URL structure:
https://api.tiled.co/v2/auth/device/google/{ORG DOMAIN}/metadata.xml
- EXAMPLE if I set my Org Domain to "saltydog-admin" my resulting metadata URL would be:
https://api.tiled.co/v2/auth/device/google/saltydog-admin/metadata.xml
- NOTE: This URL should now resolve to Tiled's service provider metadata, with this information you will have access to the following items needed to complete your set up in Google.
- entity ID
- X509 Certificate
- Assertion Consumer Service URL
- EXAMPLE if I set my Org Domain to "saltydog-admin" my resulting metadata URL would be:
We can now add a new SAML application in Google:
- In your Google Admin console (at admin.google.com)...
- Go to SAML Apps
- Click Add + at the bottom right
- Click Set up my own custom app.
The Google IDP Information window opens and the SSO URL and Entity ID fields automatically populate. - Use option 2 to Download the IDP metadata
- Provide the application a Name, Description and upload a Logo Available here
- Click Next
- Copy and the entity ID from the Tiled metadata URL that you created in Step 9 above and paste it in the Identifier (entity ID) field
- Copy and the Assertion Consumer Service from the Tiled metadata URL that you created in Step 9 above and paste it in the Reply URL (Assertion Consumer Service URL) field
- Check Signed Response
- Click Next
- Click Add New Mapping
- Create mappings to release the following attributes
Application Attribute Category User Field email Basic Information Primary Email name Basic Information First name - Open the Federation Metadata XML saved from Google in Step 5 and Paste it into the Identity Provider Metadata XML section of Tiled
- Click Update Settings
The configuration is now complete you can assign users to the application in Google and use their built-in test feature to ensure authenticate
Common Errors
Response Error | Potential Fix |
{"type":"TypeError","status":500,"message":"Cannot read property '0' of undefined"}} | Ensure the Additional Claims rules from step 19 are properly sending 'email' |
Comments
Please sign in to leave a comment.