Manage People
      Back to home
      1. Help Center
      2. Getting Started for Administrators
      3. Manage People

      Single Sign On with Google SAML

      Description

      This article outlines the steps needed to enable Single Sign On (SSO) between Share911 and Google via SAML 2.0.  SSO integration means that staff will be able to use their existing company password and authenticate with your organization's existing Google roster to gain access to Share911.

      Share911 supports Just-In-Time (JIT) provisioning of accounts via SAML so once the integration is enabled your staff can log in directly by entering their work email address on the Share911 login screen and selecting "Log in with Single Sign-On".

      Staff that enroll via SSO do not need to create a separate password in Share911.  Staff that are invited via email or imported via a spreadsheet will be required to create a Share911-specific password during enrollment.

      Pre-requisites

      You will need to have one user already created in Share911.

      Outline

      1. Request access to your root channel

      2. Open your root channel's "Integrations" page in Share911

      3. Create a Share911 application in Google

      4. Turn on the Share911 app in Google

      5. Enter Google-specific information into Share911

      6. Ensure Registration email domain is set properly in Share911

      7. Test SSO login to Share911

      Walkthrough

      1. Request access to your root channel

      Since SSO is an organization-wide feature, it needs to be set up on the root channel.  Access to the root channel can be obtained by emailing support@share911.com.  Please mention "Configuring SSO" in the support request.

      2. Open your root channel's "Integrations" page in Share911

      Now that we have access, let's log in to Share911 with our administrator account.  We should see multiple channels, including our organization's root channel.  For example, if our normal channel is found at:

      https://share911.com/acme/hq

      ...then our root channel will be found at:

      https://share911.com/acme

       

      NOTE: If you do not see your organization's root channel, please contact support@share911.com and we will help you gain access.

      Next, we can navigate to the "Channel Integrations" page, by clicking on our name in the top right, then Manage Channels, Integrations, and SSO via SAML 2.0.

      Then, copy the value of the Share911 Assertion Consumer Service Url field.  For example, "https://share911.com/sso/saml/acs".  We will need this ACS URL when we create the Share911 application in Google.

       

      3. Create a Share911 application in Google

      Follow the steps described in the "Set up your own custom SAML application" article, found here:

      https://support.google.com/cloudidentity/answer/6087519?hl=en

      IMPORTANT NOTES: 

      * Step 6 - choose the "Download the IDP metadata" option. You will use this file below.

      * Step 9 - paste the ACS URL you copied from Share911.  Entity ID and Start URL should be set to:

      https://share911.com


      * Step 13 - add the following mappings:

      Primary email => email
      First name => firstname
      Last name => lastname
      Employee ID => employeeId
      Job title => title

       

      4. Turn on the Share911 app in Google

      Now that we've created our Share911 application, let's give people permission to use it.  If you would like to start testing Share911 with a few staff first, you can assign individual people.  Otherwise, you can assign whichever Groups make sense for your organizational structure.

      The section titled "Turn on your SAML app" has instructions for granting access to the new app.

      5. Enter Google-specific information into Share911

      Now we need to add the contents of IdP Metadata file that you downloaded from Google to the Share911 side.  Share911 uses this metadata to securely make SAML requests.  

      To do so, open the IdP Metadata file and copy the XML contents.  Then paste that into the "Option 2. IdP Metadata XML" field.  

      Now our setup is complete in both Google and Share911 so we can check the Enable integration? checkbox at the top to turn on SSO.

       

      6. Ensure Registration email domain is set properly in Share911

      At this point our SAML integration is completed but we also need to ensure that Share911 knows to attempt a SAML login for our users.  To do this we need to ensure that the email domains set in the Share911 Registration page are correct for your organization.  Only domains included here will be eligible to use SAML SSO.

       

      Let's check by first clicking "< Channel Integrations" to go back to the main Manage Channel page, then selecting "Registration" to open the "User Registration" page.

       

      Ensure that the Email Domains field has the correct email domain(s) for your organization.  Since we do not want staff to be able to join this root channel when Self-Registering, let's also check the "Require administrator approval..." check box.

       

      7. Test SSO login to Share911

      Now we can test our SAML integration.  To do so, let's log out of our Share911 account and re-enter our email address into the Share911 login page.  We should now see the option to "Log in with Single Sign-On".

      Clicking that link will initiate a SSO SAML request to Google and should grant access to our Share911 account.  If not, please contact support@share911.com so that we can help troubleshoot what went wrong.

      Share911 will remember our last login method so the next time that we visits the Share911 login screen, we will see this form instead:

      And we're done!