Single Sign On (SSO) with Google Workspace (G Suite)

This how-to article will help Administrators to review the set up of Single Sign On with Google Workspace, or G Suite. The user must have the “Modify Authentication Settings” Admin permission.

Overview

This article covers how to configure Google Workspace, or G Suite, environments to allow Single Sign On authentication with TeamDynamix. Note that you will only need to configure at most two Google SAML applications: one for production + sandbox, and another for release preview.

Google Configuration

Note that Google changes their administrative portal interface quite often, so these Google-specific instructions are subject to change without notice. You can refer to Google's documentation on setting up a SAML application for up-to-date steps.

Create a new SAML application

1. Navigate to the Google Admin Console at admin.google.com and sign in with your super-admin username and password.
2. From the Admin console Home page, go to Apps > Web and mobile apps.
3. Click Add App > Add custom SAML app.
4. Enter a Name, such as "TeamDynamix SSO", then click Continue.
5. Click the Download the IDP metadata button and save the file to a secure location that you can access later. This information will need to be shared with TeamDynamix before your SSO will work.
6. Click Continue.
7. In the Identifier (Entity ID) field, enter the TeamDynamix Entity ID.
   • For United States SaaS Customers:
     • Production and Sandbox: https://www.teamdynamix.com/shibboleth
     • Release Preview: https://shib.teamdynamixpreview.com/shibboleth
   • For Canadian SaaS Customers:
     • Production and Sandbox: https://shib-cac.teamdynamix.com/shibboleth
     • Release Preview: https://shib-cac.teamdynamixpreview.com/shibboleth
   • For Installed (on-prem) Customers: Get this from your Service Provider software
8. In the ACS URL field, enter the proper Assertion Consumer URL.
   • For United States SaaS Customers:
     • Production and Sandbox: https://shib.teamdynamix.com/Shibboleth.sso/SAML2/POST
       Note: If you have a vanity URL, and only for production/sandbox, replace shib.teamdynamix.com in the URL with your custom domain. If you are unsure whether or not you have a vanity URL, see if the domain in your normal TeamDynamix URL ends with teamdynamix.com. If it does, you do not have a vanity URL. Any URL in *.teamdynamix.com format is not a vanity URL
       Vanity URL Example: https://my.customdomain.edu/Shibboleth.sso/SAML2/POST
     • Release Preview: https://shib.teamdynamixpreview.com/Shibboleth.sso/SAML2/POST
   • For Canadian SaaS Customers:
     • Production and Sandbox: https://shib-cac.teamdynamix.com/Shibboleth.sso/SAML2/POST
       Note: If you have a vanity URL, and only for production/sandbox, replace shib.teamdynamix.com in the URL with your custom domain. If you are unsure whether or not you have a vanity URL, see if the domain in your normal TeamDynamix URL ends with teamdynamix.com. If it does, you do not have a vanity URL. Any URL in *.teamdynamix.com format is not a vanity URL
       Vanity URL Example: https://my.customdomain.edu/Shibboleth.sso/SAML2/POST
     • Release Preview: https://shib-cac.teamdynamixpreview.com/Shibboleth.sso/SAML2/POST
   • For Installed (on-prem) Customers: Get this from your Service Provider software
9. If you desire, enter a value for Start URL. If entered, this value will be where you are redirected to when you choose this application from the list of Google apps. Typically this would be to your TDNext or TDClient sign in page so that you are automatically redirected in as authenticated (SP-Initiated authentication).
10. Click Continue.
11. On the Attribute mapping page, click Add another mapping to map the TeamDynamix username attribute:
12. In the App attributes field, enter the value urn:oid:1.3.6.1.4.1.5923.1.1.1.6 .
13. Under Google Directory attributes, click the Select field menu to choose the attribute TeamDynamix will use as the username value for authentication. This value must be a scoped, or fully qualified value in the format of user@domain. We suggest using Primary Email for this field
14. Using the related Accepted SAML SSO Attributes TeamDynamix KB article as a guide, add any other SAML attributes you with to release to TeamDynamix. Common attributes released include first name, last name, and email address, since they are the bare minimum SAML attributes needed to perform SSO-based self-registration. When releasing attributes, be sure to always use the urn:oid: format for attribute names from the KB (like the format used in step 13). Add any additional mappings as needed.
15. Click Finish.

Enable the SAML application

1. Navigate to the Google Admin Console at admin.google.com and sign in with your super-admin username and password.
2. From the Admin console Home page, go to Apps > Web and mobile apps.
3. Select the SAML app you created using the steps above.
4. Click User access.
5. To turn on or off a service for everyone in your organization, click On for everyone or Off for everyone, and then click Save.
6. (Optional) To turn a service on or off for an organizational unit:
   1. At the left, select the organizational unit.
   2. Select On or Off.
   3. Click Override to keep your setting if the service for the parent organizational unit is changed.
   4. If Overridden is already set for the organizational unit, choose an option:
      • Inherit—Reverts to the same setting as its parent.
      • Save—Saves your new setting (even if the parent setting changes).
7. To turn on a service for a set of users across or within organizational units, select an access group.
8. Ensure that the email addresses your users use to sign in to the SAML app match the email addresses they use to sign in to your Google domain.

Metadata Exchange

The last step before you can enable and Google SSO authentication into TeamDynamix is a metadata exchange. Because your metadata may change over time, it is highly encouraged that you provide a public URL that TeamDynamix can use to pull the most up-to-date metadata configuration.

To provide a public URL for metadata consumption:

1. Create a web server in your environment with a public URL, optionally locked down to only allow traffic from the TeamDynamix URLs provided at https://app-eus.teamdynamix.com/meta/.
2. Place the downloaded metadata file on your web server.
   1. You should have downloaded your metadata during step 6 in the "Create a SAML App" section above. If not:
      1. Navigate to the Google Admin Console at admin.google.com and sign in with your super-admin username and password.
      2. From the Admin console Home page, go to Apps > Web and mobile apps.
      3. Click the SAML app to open its Settings page.
      4. Click Service provider details.
      5. Click the Download the IDP metadata button and save the file to a secure location that you can access later.
3. Confirm that the metadata URL works by going to the URL and confirming that it downloads your metadata.
4. Provide the URL to the TeamDynamix representative you are working with.

After this is set up, anytime your metadata changes, you would just replace the file on the web server and we would use the URL to pull the most up-to-date file.
Once TeamDynamix has confirmed that your metadata is registered in their service provider, you may move on to configuring and enabling SSO in TeamDynamix.

TeamDynamix SSO Configuration

TeamDynamix strongly recommends testing completing these steps in your sandbox environment first! Once you are satisfied that all is working in the sandbox, you may simply repeat steps 1-5 below in production to enable things there with no further configuration or changes needed to Google Admin.

1. To enable Google SSO in TeamDynamix, log into the TeamDynamix Admin application or navigate there from the TDNext application menu option.
2. From your organization details page, click the Security tab and then click the Configure SSO button.
3. In Google Admin, copy the Entity ID field from your SAML app.
4. Paste the value from Step 3 into the Entity ID field in the TeamDynamix SSO Settings page (reached from Step 2).
5. You may now Save and Enable SSO for testing at your convenience. Do not close your TeamDynamix Admin window or browser tab yet! Proceed on to the Testing SSO Authentication section below for testing strategies.

Testing SSO Authentication

To avoid getting locked out of your TeamDynamix environment, here is our suggested testing strategy:

1. Open a browser (e.g., Google Chrome) and open the settings page at TDAdmin > Security tab > Configure SSO.
2. Open a separate browser (e.g., Firefox) and navigate to TDNext or the Client Portal.
3. Use the separate browser to test signing in using SSO.
4. If the sign-in is successful, great! If it is not successful, use the first browser to click Disable SSO.

With this approach, if SSO authentication is not working or is in some way broken, you may quickly toggle SSO off back in the first browser with the TeamDynamix SSO Settings page. You can then safely troubleshoot the issues found and not be locked out of the system until you are ready to test again.