Google SAML Setup
Learn how to configure Opal to authenticate users via Google SAML SSO.
You can set up Opal to allow or require users to log in via Google SAML SSO.
Setup
- When logged into Google Workspace as an administrator, click on Apps on the left sidebar and then Web and mobile apps.
- Click on Add App and then Add custom SAML app
- Name your SAML app Opal. You can use this brand asset as the app icon. When ready, click Continue.
- Copy the value of the SSO URL field
- In the Authentication section of the Opal Admin UI, click Setup and input the SSO URL into the Identity Provider SAML 2.0 SSO URL (HTTPS) field
- Download the Google IDP public certificate by clicking on the down arrow button next to the certificate.
- Upload the certificate with the Upload Certificate button in the Opal Admin page
- Click Save Changes to save this data to Opal.
- Then copy the ACS URL and Entity ID values in the Opal Admin page to the corresponding ACS URL and Entity ID fields in the Google SAML app creation page.
- Click Continue.
- In the Attribute Statements page, input given_name, family_name, and email as First name, Last name, and Email, respectively, like in the following image:
- Click Finish to complete the creation of the Google SAML app.
- Then turn on the SAML app by clicking on OFF for everyone in the SAML app page then clicking ON for everyone then Save.
Testing login via SAML
- Navigate to Opal, then log out of your Opal account.
- Click on Continue with SAML on the Opal login screen.
- Manually type your email address in the Email field. This email must have the same domain name as whoever created the SAML app in the Opal UI earlier (e.g. if [email protected] created the SAML integration, the SAML integration will be tied only to users with the opaltest.com domain).
- Then click Continue with SAML.
- This should prompt you to log in with Google.
- You may arrive at this linking screen (below). If so, you should click continue and log in with the account corresponding to your email address.
- At this point, you should be able to log into Opal!
Test IDP initiated flow from Gmail
- Login to Gmail
- On the upper right corner, click on Google Apps (button with many dots) then Opal
- This should prompt you to log in with Google.
- At this point, you should be able to log into Opal!
Common issues
Adding a SAML connection in Google and enabling it for your users can take up to 24 hours to propagate. As a result, sometimes there are caching issues after adding a new SAML connection.
Manifestations of this problem include any of the following:
- 403 app_not_configured
- 403 not_a_saml_app
- 500
In some cases these caching issues can be circumvented by clearing browser state for Opal and Google, or trying the login in an Incognito browser tab or a new browser entirely. But the most consistent fix is to simply wait up to 24 hours for the problem to go away.
Updated 4 months ago