How to Configure SAML 2.0 for Google

Supported Features

• Identity Provider Initiated Login
• Just in time user provisioning

Configuration Steps

1. Sign in to Tiled as an Account Admin
2. Navigate to Account Settings.
3. Under General Settings, scroll down to the Auto Provisioning 
4. Select a required Default Role and Default Group for new users
   • NOTE: Users who are Just in time Provisioned into the Tiled account will receive the role and group specified in this step.
5. Check the Enable Auto Provisioning box:
   
   
   
6. Scroll down to the Saml Settings section.
7.  Input and org domain
   • NOTE: The value that is input into this field will be used to generate our service provider metadata link as well as our service provider erentityID.
8. Click Update Settings
   
   
9. To build your Identity Provider Metadata XML use the above org domain and insert it into the below URL structure:
   

   https://api.tiled.co/v2/auth/device/google/{ORG DOMAIN}/metadata.xml

   • EXAMPLE if I set my Org Domain to "saltydog-admin" my resulting metadata URL would be:

     https://api.tiled.co/v2/auth/device/google/saltydog-admin/metadata.xml

   • NOTE: This URL should now resolve to Tiled's service provider metadata, with this information you will have access to the following items needed to complete your set up in Google.
     • entity ID
     • X509 Certificate
     • Assertion Consumer Service URL

We can now add a new SAML application in Google: 

• NOTE: Google publishes a guide for setting up a SAML integration with their service here 

1. In your Google Admin console (at admin.google.com)...
   
2. Go to SAML Apps
   
   
   
3. Click Add + at the bottom right
4. Click Set up my own custom app.
   The Google IDP Information window opens and the SSO URL and Entity ID fields automatically populate.
   
   
   
5. Use option 2 to Download the IDP metadata
   
   
   
6. Provide the application a Name, Description and upload a Logo Available here
7. Click Next
   
   
   
8. Copy and the entity ID from the Tiled metadata URL that you created in Step 9 above and paste it in the Identifier (entity ID) field
9. Copy and the Assertion Consumer Service from the Tiled metadata URL that you created in Step 9 above and paste it in the Reply URL (Assertion Consumer Service URL) field
10. Check Signed Response
11. Click Next
    
    
    
12. Click Add New Mapping
    
    
    
13. Create mappings to release the following attributes
    

    Application Attribute	Category	User Field
    email	Basic Information	Primary Email
    name	Basic Information	First name

    
    
    
    
14. Open the Federation Metadata XML saved from Google in Step 5 and Paste it into the Identity Provider Metadata XML section of Tiled
15. Click Update Settings
    

The configuration is now complete you can assign users to the application in Google and use their built-in test feature to ensure authenticate 

Common Errors