Contents x
    Google Workspace SAML Authentication (SSO)
    • 3 Minutes to read
    • Contributors
    • Print
    • Dark
      Light
    • PDF
    Contents

    Google Workspace SAML Authentication (SSO)

    • 3 Minutes to read
    • Contributors
    • Print
    • Dark
      Light
    • PDF
    Article Summary

    About Google Workspace (formerly G Suite) SAML Authentication

    Google Workspace users may be granted access to Campus Cafe using their Google Workspace credentials by configuring a Google Security Assertion Markup Language (SAML) connection.

    The authentication works by checking if the logged in Google Workspace user has an account in Campus Cafe where the Campus Cafe username is the user's primary Google Workspace email. The Google Workspace user must also belong to a Google Workspace organizational unit that allows access to the Campus Cafe SAML app.

    Configure Google Workspace SAML

    1. Log in to Google Admin
    2. Click the Apps tile
    3. Click the Web and mobile apps tile
    4. Click Add App > Add custom SAML app
    5. For the App name enter the name of the App as you want it shown to G Workspace users in the App drawer. For these instructions, we have named it Campus Cafe.
    6. Click Continue; Do not leave the screen
    7. Click Download Metadata
    8. Retain the file and send the file to Campus Cafe Support
    9. Click Continue
    10. Enter Service provider details as follows:
      ACS URL: https://abc-web.scansoftware.com/Shibboleth.sso/SAML2/POST where abc is your school code
      Entity ID: https://abc-web.scansoftware.com/shibboleth where abc is your school code
      Start URL: https://abc-web.scansoftware.com/cafeweb/loginsso where abc is your school code
      Signed response: Check this box
    11. Enter the Name ID details as follows:
      Name ID format: EMAIL
      Name ID: Basic Information>Primary email
    12. Click Continue
    13. Click Finish

    Turn on User Access

    Google Workspace allows users to be segregated into organizational units, which control access to various Google functions and apps. Campus Cafe must be turned on for the organization(s) permitted to access Campus Cafe.

    1. Log in to Google Admin
    2. Click the Apps tile
    3. Click the Web and mobile apps tile
    4. Click the app you just created 
    5. In the upper right of the User access tile click the down arrow
    6. On the left click the organizational unit to provide access
    7. Click ON
    8. Click Override. Changes may take 24 hours to propagate to all users.

    Configure Campus Cafe Users

    The Google Workspace user must have a corresponding account in Campus Cafe. There are two ways to configure usernames in Campus Cafe.

    1. The Campus Cafe username must be the Google Workspace user's primary email  including the domain. (For example, taylor.swift@myschool.edu). Leave the domain box empty. 
      OR
    2. The Campus Cafe username must be the Google Workspace user's primary email address excluding the domain. (For example, taylor.swift@myschool.edu would be simply taylor.swift). In the Domain box enter the domain without the @ symbol. (For example, myschool.edu)

     Campus Cafe recommends the Campus Cafe Password field be left empty.

    In Campus Cafe on the user screen the Account Disabled checkbox will not be respected. Instead, disable the user's access in Google Workspace.

    In Campus Cafe on the user screen the Require Password Change checkbox will not be respected. Instead, require a password change on the user's Google Workspace record.

    The functional access granted in Campus Cafe depends on the Campus Cafe permission group to which the user belongs.  

    Configure Error Message for User Note in Campus Cafe

    If a user belongs to a Google organization that has access to Campus Cafe, the user will see a link to Campus Cafe in his or her Google App Launcher (the nine dots in the upper right). If the Google user does not have an account in Campus Cafe, an error will be displayed. 

    To customize the error message:

    1. Navigate to Admin > Adjustable Text Maintenance
    2. Locate LOGINSSO_ERROR
    3. Click the pencil next to LOGINSSO_ERROR 
    4. In the Value box (the large box) enter the error message to display to a user (e.g. You do not have access to Campus Cafe. Contact IT Support at 555-5555 for assistance.)
    5. Click Save
    6. Refresh the cache by navigating to Admin > Refresh Data Cache > reload data

    Configure Campus Cafe Logout Button Behavior

    By default, clicking the logout button in Campus Café does not end the SSO session. With the SSO session still active, a user will be able to access Campus Café without logging in.

    Configure Campus Café logout button to end SSO session

    1. Navigate to Admin > Web App Config
    2. Locate parameter LOGOUT_SSO_URL
    3. In the Value box enter https://abc-web.scansoftware.com/Shibboleth.sso/Logout?return=https://www.google.com/accounts/Logout replacing abc with your school code
    4. Click Save

    Time Out Behavior

    By default, Campus Café signs out a user after 30 minutes of inactivity. (This may be extended by contacting Campus Café support.) However, the user’s SSO session will remain active for as long as configured through the SSO. If the SSO session is still active, the user can access Campus Café without logging in. Essentially, the SSO time out setting takes precedence over the Campus Café time out.

    Accessing Campus Cafe

    Once SSO and users are configured, users can access Campus Cafe by through the Google App Launcher (nine dots) by clicking Campus Cafe.


    Was this article helpful?
    What's Next
    Need Translation?