If you are using Google Workspace it is possible to set up Single Sign On to allow your platform users easy access to eloomi if they are already logged into a Google Workspace account.
Important note:
Please be aware that eloomi does not support user provisioning through SSO. You will be able to use our open API (contract add-on) to create users & update user information. Please be aware that we do not support SCIM.
We do not support multiple SSO connections to the same platform.
Setting up SSO using Google Workspace:
In eloomi you go to Admin > Settings > SSO Details
Here you will need to add information from your Google Admin Console.
In Google Admin in the Sidebar > Apps > Web and mobile apps > Add app > Add custom SAML app
Setting up eloomi custom app in Google Workspace
Setting up the eloomi app in Google Workspace will give you information that should be copied and pasted to the eloomi set-up page.
Step 1 - App details
App name - Optional
Description - Optional
Step 2 - Google Identity Provider Details
SSO URL
Entity ID
Certificate
Copy the fields:
Copy the Certificate you would like to use to authenticate with eloomi.
-----BEGIN CERTIFICATE-----
EXAMPLE
-----END CERTIFICATE-----
Copy all the content into this field including "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----"
*Make sure you save these as we will need them at the end of the process when we setup SSO on the eloomi side of things.
There are more settings that need to be set up in eloomi, but we will go through those at the end.
Step 3 - Service provider details
This step in the configuration is to add Service Provider Details from eloomi to Google Workspace:
ACS URL: https://your_domain.eloomi.com/saml2/acs
Entity ID: https://your_domain.eloomi.com/saml2/metadata
Start URL: https://your_domain.eloomi.com/
Step 4 - Attribute mapping
We need to map the Google Workspace Identifier to use email as the login attribute in eloomi.
In the Attributes tap > Add mapping.
Basic Information: Primary email
App Attributes: Copy & Paste the field "SSO LOGIN ATTRIBUTE" in the eloomi SSO settings to this field.
After, click Finish and you will be greeted with the Overview of the Custom SAML app that we just set-up. Before we go back to eloomi, we need to gather some more details in Google Admin Console.
Last step
Now we need the details we gatherd in the beginning of
Step 2 - Google Identity Provider Details.
SSO URL
Entity ID
Certificate
Go back into the SSO settings in eloomi go to Admin > Settings > SSO Details. It does require admin access to make this change.
Copy & paste the details we copied from Google Admin into eloomi:
SSO HOST > "SSO URL" found in Google Admin Console
SSO Entity ID > "Entity ID" found in Google Admin Console
SSO LOGIN SERVICE >
SSO LOGOUT SERVICE >
SSO LOGIN TYPE > Email
SSO LOGIN ATTRIBUTE > EmailAddress
SSO NAMEID FORMAT > urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
SSO AUTHNCONTEXT > True
SSO REDIRECT UNAUTHORIZED REQUESTS > Yes
Certificate > X509 CERTIFICATE
Press Update SSO and you can now login using Google Workspace / Google Identity
Testing
Testing the SSO login can be achieved by navigating to: https://your_domain.eloomi.com/sso/log-in
Important Note:
Please make sure Activation Method from platform admin > settings > company details are set to "Instant", so users are not sent an activation email.
To implement IDP-initiated logouts from eloomi, you will need to add this endpoint: https://your_domain.eloomi.com/sso/logout to your IDP.
For technical support on SSO configuration or errors, please raise a ticket at helpdesk.eloomi.com, including the error message and screenshot and steps taken before the challenge arose.