One of the SAML identity providers (IdP) that you can use is Google Workspace.
Before setting up your Google Workspace integration, please read over our Understanding SAML/SSO article to learn basic concepts and useful tips.
In order to get started with the setup of SSO with Google Workspace, you will need:
- Administration abilities within Google Workspace.
- Admin or super-admin user role within Hudu.
- Your own domain is registered and verified with Google Workspace.
- All users provisioned in Google Workspace with the same exact email address as listed in Hudu. We don't create new user accounts from SSO.
- Ensure that the users have already been created in Hudu before starting this process.
Guides
How to Enable SSO
- Login to Hudu and click the Admin tab on the top toolbar.
- Click General.
- Click Configure Single Sign-On.
- Enter SAML details. See the relevant section below on how to fill this information out.
- Click Enable Single Sign-On.
- Hit Update SAML Details and SAML should now be activated.
Configuring Google Workspace
- In Google Workspace:
- Navigate to Apps >> Web and mobile apps >> Add App >> Add custom SAML app
- Provide app details:
- App name (required)
- App description (optional)
- App icon (optional)
- Click continue.
- This will open up a page with two options with your Google Identity provider details; copy the Option 2 SSO URL, Entity ID, and Certificate - we'll need these later (you can also access these later).
- Click continue.
-
Service provider details:
- These will come from your Hudu instance.
-
ACS (Assertion Consumer Service) URL: Enter your Hudu URL, followed by /saml/consume
- e.g. https://docs.mywebsite.com/saml/consume
-
Entity ID: Enter your Hudu URL
- e.g. https://docs.mywebsite.com
- Start URL: This can be skipped.
- Signed response: This can be skipped.
- Define Name ID format:
- Name ID format: EMAIL
- Name ID: Basic Information > Primary Email
- Click continue.
- Attribute mapping can be skipped.
- Click finish.
- Lastly, you'll need to enable access for users via the Users Access dropdown. This must be ON for all users that will be utilizing SSO.
Configuring Hudu
- In Hudu, with a user role of Admin or Super Admin:
- Navigate to your Hudu admin area >> General >> SAML/SSO Configure.
- Provide Identity Provider (IdP) information:
- This is the information that we copied earlier, from Option 2. To access these again:
- Navigate back to Google Workspace >> Apps >> Web and mobile apps
- Click into the app you've just created >> Service provider details dropdown arrow.
- Click Manage Certificates.
- SAML Issuer URL: This is what Google Workspace calls their "Entity ID." Copy this exactly into Hudu.
- SAML Login URL: This is what Google Workspace calls their "SSO URL." Copy this exactly into Hudu.
- SAML Logout URL: This should be identical to your SAML Login URL, paste the SSO URL here as well.
-
SAML Fingerprint:
- Copy the SHA-256 fingerprint provided by Google Workspace.
- Alternatively, follow the steps below to calculate the SHA-1 fingerprint.
- Obtaining the SHA-1 fingerprint:
- In order to get the fingerprint into the SHA-1 format, go to https://developers.onelogin.com/saml/online-tools/x509-certs/calculate-fingerprint.
- Paste the SAML Certificate provided by Google Workspace into the X.509 cert text box.
- Set the algorithm to sha1.
- Copy the fingerprint. It should look like this:
- e1ec606f56ddcf9f364be0c2cff7221354223121
- Obtaining the SHA-1 fingerprint:
- SAML Certificate: This is provided by Google Workspace, and should be the same certificate used to configure the fingerprint; copy this exactly.
- -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- should be included.
- This is the information that we copied earlier, from Option 2. To access these again:
-
SAML ARN: This signifies the Authentication Context that Hudu will provide to the IdP. AuthnContext is the method by which a user tries to log in (i.e. via password, passwordless, etc.).
-
- If you specify Do not pass RequestedAuthnContext in your request, the URN is used by the IdP to say "I don't want to tell you how I identified the user".
- Requested Authentication Context may be required for your IdP, but it is typically optional.
- If you have users that use Passwordless login to your IdP; do not pass RequestedAuthnContext must be selected.
- If you specify Password in your request, the IDP knows it has to authenticate the user through login/password.
- If you specify PasswordProtectedTransport in your request, the IDP knows it has to authenticate the user through login/password, protected by SSL/TLS.
- If you specify Do not pass RequestedAuthnContext in your request, the URN is used by the IdP to say "I don't want to tell you how I identified the user".
-
- Click Enable Single Sign-On.
- Hit Update SAML Details and SAML should now be activated.
Testing SAML
Open an incognito window and try and access Hudu. You should be redirected to the login page, where you will see a "Use Single Sign On (SSO)" button. If you are able to successfully login via this button, your SAML is working!
You can also click 'Test SAML' from within your Hudu SAML app in Google Workspace.
Disable Password Access for non-Admins
You have the option to disable password logins for non-administrators (users that are not super admins or admins). By clicking "Disable Password Access for non-Admins"; all users below admin will have to exclusively use single sign-on to access your Hudu environment.
Admins will be able to access via an admin sign-in page. This will prevent you from being locked out of your account when your Identity Provider is unavailable.
FAQ
Error 403: app_not_configured_for_user
Answer: This typically means that the entity ID (entered in Google admin) is incorrect. Ensure that you have correctly input your Hudu domain.
Notes: Ensure that there is no trailing slash ( / ) at the end of the URL.