Configuring SSO with Google GSuite

Single sign on (SSO) with Google GSuite will allow users in your organization to sign in to TeamRetro using their existing GSuite account - no need to create a separate TeamRetro account.

Requirements

  • You must be an admin in your TeamRetro organization
  • You must be an admin in your Google GSuite organization

Setup Instructions

1. Open Single Sign on Settings in TeamRetro

  • Open TeamRetro
  • Browse to your Organization page
  • Select the Settings tab
  • Select Single Sign On from the admin menu
  • Select Add SAML Identity Provider
  • You will be presented with your TeamRetro service provider (SP) settings
  • Leave this window open for the moment - we'll need this information to complete configuration of the TeamRetro app in Google GSuite.


2. Configure Single Sign On in GSuite

  • Open GSuite admin console in a new tab or window (make sure you leave the TeamRetro SSO page open)
  • In your Google GSuite dashboard, click "Apps - Manage apps and their settings"
  • On the Apps page, click "SAML apps - Manage SSO and User Provisioning"
  • On the SAML Apps page, click the "+" button in the lower right of the screen
  • Step 1 of 5 - Enable SSO for SAML Application
    • Click "SETUP MY OWN CUSTOM APP
  • Step 2 of 5 - Google IdP Information
    • Under Option 2, click the "Download" button (IDP metadata) and save the .XML file to your computer - you'll need this in a moment.
    • Click NEXT
  • Step 3 of 5 - Basic information for your Custom App
    • Complete the form:
      • Application Name: TeamRetro
      • Description: Online agile retrospective meetings for distributed teams
      • Upload logo:
        Right click on the logo above and select "Save Image As.." to download to your computer. You can then click "Choose File" in the GSuite setup window to upload to GSuite. 
    • Click NEXT 
  • Step 4 of 5 - Service Provider Details
    • Complete the GSuite "Service Provider Details" form:
      • ACS URL: [copy the LOGIN ACS URL from TeamRetro]
      • Entity ID: [copy the SP ENTITY ID from TeamRetro]
      • Start URL: leave bank
      • Signed Response: Checked
      • Name ID: Basic Information, Primary Email
      • Name ID Format: EMAIL
    • Click NEXT
  • Step 5 of 5 - Attribute Mapping
    • Use the Add New Mapping button to create the following three entries:
      • email, [Basic Information], [Primary Email]
      • firstName, [Basic Information], [First Name]
      • lastName, [Basic Information], [Last Name]
    • Click  FINISH
  • Enable the application for your users
    Once GSuite has saved your new SAML application configuration, you should be will be directed to the GSuite TeamRetro application page. By default, the application is  not available for your GSuite users. 
    • Click the dropdown menu in the top right, and select "ON for everyone"


3. Configuring Single Sign On in TeamRetro

Back in TeamRetro, it's time to add your Google GSuite Identity Provider (IdP) details.

  • Under "Identity provider settings (IdP)", click "Upload Metadata"
  • Find and open the metadata XML file you downloaded from GSuite a few minutes ago.
    If successful, the "IDP ENTITY ID", "LOGIN URL", and "SIGNING CERTIFICATE" fields should be automatically be populated
  • Toggle the identity provider to ENABLED
  • Click SAVE CHANGES
  • Click TEST LOGIN
  • You will be redirected to your identity provider to sign in. If you are redirected back to TeamRetro your configuration has succeed. If you encounter any errors or warnings; please contact  info@teamretro.com and we'll help you out.


What's Next

  • You will now be able to access TeamRetro along with your other GSuite Applications... no sign in required!
  • When you invite your team to join you in TeamRetro, they will be presented the option of signing in with your organization's SSO


Still need help? Contact Us Contact Us