Skip to main content

Single Sign-On (SSO) with SAML via Google Workspace

How to set up Single Sign-On (SSO) with Google Workspace using SAML to connect to revel8. Once complete, your employees can log in using their Google credentials

๐Ÿงญ 1: Create a SAML App in Google Admin

  1. In the Google Admin Console, go to: Apps โ†’ Web and mobile apps

  2. Click Add App โ†’ Add custom SAML app

  1. Give your app a name, we recommend: revel8

    You can also upload a logo and add a description (optional)

๐Ÿ“„ 2: Install SAML Certificate

  1. Download the Metadata file provided in the Google Admin setup flow

  1. In a separate tab, open the revel8 platform

    โ†’ Go to Settings โ†’ Integrations โ†’ Access Controls tab

  2. Upload the metadata file to the Metadata file section

๐Ÿ”— 3: Configure SAML URLs

  1. Copy the ACR URL from the revel8 platform

  2. Paste it into the next configuration page in the Google Admin console (the ACR URL and Entity ID are found under Settings โ†’ Integrations โ†’ Access Controls):

    • Paste the ACR URL into the ACR URL field

    • Paste the Entity ID into the Entity ID field

  3. Save your configuration in Google Admin Console

๐Ÿ“ 4: Configure Attribute Mapping

In the Attribute Mapping step in the Google Admin console, set the following mappings:

Google Directory attribute

revel8 attribute

Primary email

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

First name

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname

Last Name

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

Primary email

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

The two primary email address attributes are required, the rest is optional.

๐Ÿ”‘ 5: Group to Role Mappings (Optional)

Once SAML is active, you can automatically assign revel8 roles based on your Identity Provider groups. This eliminates the need to manually assign roles to each user after login.

  1. In revel8, go to Settings โ†’ Integrations โ†’ Access Controls tab

  2. Scroll to the Group to Role Mappings section

  3. Click Add Mapping to add a new row

  4. Enter the IdP Group Name exactly as it appears in your Identity Provider

  5. Select the corresponding revel8 role from the dropdown: EMPLOYEE, EDITOR, CISO, or DIRECTOR

  6. Repeat for each group you want to map, then click Save Mappings

๐Ÿ’ก Tip

You can add multiple mappings. Users in a mapped group will automatically receive that role upon login. Users not matched to any mapping default to the EMPLOYEE role.

๐Ÿ›ก๏ธ 6: Disable Password Login (Optional)

Once SAML is active, you can optionally disable password-based login to enforce SSO as the only login method for your organization.

  1. In revel8, go to Settings โ†’ Integrations โ†’ Access Controls tab

  2. Under the SAML status section (visible once SAML is active), check the Password login disabled checkbox

โš ๏ธ Important

Disabling password login means users can only log in via SAML SSO. Ensure your SAML configuration is fully tested before enabling this to avoid locking users out.

โœ… Final Checklist

  • Custom SAML app created in Google Admin Console

  • App name, logo, and description configured

  • Metadata file downloaded from Google

  • Metadata file uploaded to revel8 via Settings โ†’ Integrations โ†’ Access Controls

  • ACS URL and Entity ID copied correctly

  • Configuration saved in both platforms

  • Group to Role Mappings configured (optional)

  • Password login disabled if enforcing SSO-only (optional)

  • Test login successful via Google SSO

Related Articles
Single Sign-On (SSO) with SAML via Microsoft Entra ID
Did this answer your question?