Configuring SSO with Google Workspace

Single sign on (SSO) with Google Workspace will allow users in your organization to sign in to TeamRetro using their existing Workspace account - no need to create a separate TeamRetro account.

Requirements

  • You must be an admin in your TeamRetro organization
  • You must be an admin in your Google Workspace organization

Setup Instructions

1. Open Single Sign on Settings in TeamRetro

  • Open TeamRetro
  • Browse to your ORGANIZATION page
  • Select the SETTINGS tab
  • Select SINGLE SIGN ON from the admin menu
  • Select ADD SAML IDENTITY PROVIDER
  • You will be presented with your TeamRetro service provider (SP) settings
  • Leave this window open for the moment - we'll need this information to complete the configuration of the TeamRetro app in Google Workspace.


2. Configure Single Sign On in Google Workspace

  • Open Google Workspace admin console in a new tab or window (make sure you leave the TeamRetro SSO page open)
  • In your Google Workspace dashboard, click APPS - MANAGE APPS AND THEIR SETTINGS
  • On the Apps page, click SAML APPS - MANAGE SSO AND USER PROVISIONING
  • On the SAML Apps page, click the "+" button in the lower right of the screen
  • Step 1 of 5 - Enable SSO for SAML Application
    • Click SETUP MY OWN CUSTOM APP 
  • Step 2 of 5 - Google IdP Information
    • Under Option 2, click the DOWNLOAD button (IDP metadata) and save the .XML file to your computer - you'll need this in a moment.
    • Click NEXT
  • Step 3 of 5 - Basic information for your Custom App
    • Complete the form:
      • Application Name: TeamRetro
      • Description: Online agile retrospective meetings for distributed teams
      • Upload logo:
        Right-click on the logo above and select SAVE IMAGE AS.. to download to your computer. You can then click CHOOSE FILE in the Google Workspace setup window to upload. 
    • Click NEXT 
  • Step 4 of 5 - Service Provider Details
    • Complete the Google Workspace "Service Provider Details" form:
      • ACS URL: [copy the LOGIN ACS URL from TeamRetro]
      • Entity ID: [copy the SP ENTITY ID from TeamRetro]
      • Start URL: leave blank
      • Signed Response: Checked
      • Name ID: Basic Information, Primary Email
      • Name ID Format: EMAIL
    • Click NEXT
  • Step 5 of 5 - Attribute Mapping
    • Use the ADD NEW MAPPING button to create the following three entries:
      • email, [Basic Information], [Primary Email]
      • firstName, [Basic Information], [First Name]
      • lastName, [Basic Information], [Last Name]

      For a full list of supported SAML attributes please see TeamRetro Supported SAML Attributes

    • Click  FINISH
  • Enable the application for your users
    Once Google Workspace has saved your new SAML application configuration, you should be directed to the Google Workspace TeamRetro application page. By default, the application is not available for your Workspace users. 
  • Click the DROPDOWN MENU in the top right, and select ON FOR EVERYONE


3. Configuring Single Sign On in TeamRetro

Back in TeamRetro, it's time to add your Google Workspace Identity Provider (IdP) details.

  • Under "Identity provider settings (IdP)", click UPLOAD METADATA
  • Find and open the metadata XML file you downloaded from Workspace a few minutes ago.
    If successful, the "IDP ENTITY ID", "LOGIN URL", and "SIGNING CERTIFICATE" fields should be automatically be populated
  • Toggle the identity provider to ENABLED
  • Click SAVE CHANGES
  • Click TEST LOGIN
  • You will be redirected to your identity provider to sign in. If you are redirected back to TeamRetro your configuration has succeeded. If you encounter any errors or warnings; please contact  info@teamretro.com and we'll help you out.


What's Next

  • You will now be able to access TeamRetro along with your other Workspace Applications... no sign in required!
  • When you invite your team to join you in TeamRetro, they will be presented the option of signing in with your organization's SSO


Still need help? Contact Us Contact Us