Google SSO for Cloud Apps

Owned by Elliot Dooleysmith
Last updated: May 05, 2022

Creating a SAML App

Open https://admin.google.com/ and sign in using an administrator account.

From the Google Admin console dashboard, go to Apps:

Select SAML apps:

Click the + icon in the bottom corner:

Click SETUP MY OWN CUSTOM APP:

The Google IdP Information window opens with the SSO URL and the Entity ID URL fields automatically populated:

In Option 2, click Download for IDP metadata.

Click NEXT to display the Basic Information for your Custom App window, add an Application Name and Description.

If you would like to add a logo you can use this image.

Click NEXT to display the Service Provider Details window.

Entity ID & ACS URL

Add an ACS URL and an Entity ID.
The ACS URL will usually be the URL for ResourceXpress with /SsoConsumer.
The Entity ID will usually be the URL for ResourceXpress.

These details can be found in the SPMetadata.xml file. See https://resourcexpress.atlassian.net/wiki/spaces/RSG/pages/126287919 on how to download this file

The ACS URL must be https.

Set Name ID to Basic Information and Primary Email.

Set Name ID Format to ENTITY.

Click NEXT to display the Attribute Mapping window.

Name & Email Address (required)

You will need to map an attribute for the Primary Email, First Name and Last Name.

Click ADD NEW MAPPING to add another blank field, see the table below for the required values.

Application attribute

Category

User field

Application attribute

Category

User field

email

Basic Information

Primary Email

firstname

Basic Information

First Name

lastname

Basic Information

Last Name

RFID, Access Code & Other values (optional)

In addition to synchronising users details, it is also possible to retrieve other attributes from the Google Directory which can be used to populate Access Code, RFID and other values in the ResourceXpress local user's database.

To configure this you will need to add more attributes, see the table below for optional attributes.

Attribute Name

Information

Attribute Name

Information

rfid

The RFID value as read by the ResourceXpress system, used for screen authentication.

accesscode

The users Access Code/PIN, used for screen authentication.

defaultlocation

The ID number for the Location that the user will have default access to.

allowedlocation

A comma separated list of Location ID numbers that the user has access to.

dateformat

The date format for the user.

dd,MM,yyyy → (25, 01, 2021)
MM / dd / yyyy → (01 / 25 / 2021)

roles

A comma separated list of Role ID numbers.

The default role ID values are as below

Super Admin → 1
Server Admin → 2
User Admin → 3
User → 4
Messaging → 5
Reporting → 6
Location Admin → 7

Click FINISH.

By default, the service will be Off for Everyone, this will need to be enabled before it can be used.

After clicking OK you will be returned to the list of SAML applications.

Select the newly created Service.

Under Service Status choose ON for everyone then click SAVE

This completes the steps required on the Google Admin side of setting up SSO.

Configuring SAML App in ResourceXpress

The final step is to upload the XML file we downloaded earlier to ResourceXpress.

Upload

Navigate to the SSO Settings tab, this can be found on the System Settings page, under the Administration Settings menu.

Click Choose file alongside IDP Metadata, find the GoogleIDPMetadata.xml file that was downloaded previously.
Then click Upload.

You will see the correct details be auto-populated into the URL and Authenticating Authority fields.

Auto-create Users

When using SSO, by default all users will be granted the role of User.
This will allow them to view the Booking Manager page only, to allow users access to more features in ResourceXpress they will need to exist as a user in the ResourceXpress local database.

Ticking the option Auto create user records from SSO will automatically add new users into the ResourceXpress user database when they sign in for the first time, this will then allow these users to be granted more access to the system, as well as assign them an RFID and Access code.

When a user's account is auto-created in ResourceXpress, an email confirming this will be sent to them. Included in this email will be a randomly generated password that can be used for the upcoming mobile app.

Welcome Email

When a user's account is auto-created in ResourceXpress, a Welcome email can be sent to them to confirm their account. Included in this email will be a randomly generated password that can be used for the upcoming mobile app.

To enable the Welcome Email, tick the Send Welcome Email box.

Sync user details

This option allows for user details such as Access Code and RFID to be synchronized with ResourceXpress’s user's database, this will keep these details up-to-date each time a user signs in.

Disabling this option will allow Admin users to modify these details manually in ResourceXpress.

Enabling SSO

Once all the above steps have been completed, click the Save button.

You can test this by signing out of the ResourceXpress admin console if you are signed in with your Google account when you try accessing the admin console again you will be automatically logged in.

The following macros are not currently supported in the footer:
  • style