This is a practical step by step guide to setting up SSO for access to the pr.co newsroom and will most likely be implemented by your IT team. To do this, you should have the SSO option in your subscription already (if not, email us for more information).
We currently provide SSO with either Microsoft Entra ID or Google. Read on for how to set up with Google, or read our instructions for an SSO setup with Microsoft Entra ID here.
Setting up SSO with Google
Before you start, check that the account you're using to make the following changes is a super administrator account. If you're unsure, read this Google support page for more information.
1. Add your own custom SAML app.
a. In the admin console, go to Menu > Apps > Web and mobile apps.
b. Click Add App > Add custom SAML app.
2. Add details for your custom app.
a. The name of your custom app should be: pr.co
b. (Optional) Upload an app icon. The app icon appears on the Web and mobile apps list, on the app settings page, and in the app launcher. If you don't upload an icon, an icon is created using the first two letters of the app name.
c. Click Continue.
3. Provide us with some details.
We will need the following information. This can be found in two ways, detailed below.
Sign on URL (In the 'basic SAML configuration' tab)
Logout URL (In the 'basic SAML configuration' tab)
Certificate (Base64) (Downloadable in the 'SAML certificates' tab)
Certificate thumbprint (In the 'SAML certificates' tab)
a. On the Google Identity Provider details page, get the setup information using one of these options:
Download the IDP metadata.
Copy the SSO URL and Entity ID and download the Certificate (or SHA-256 fingerprint).
b. Click Continue.
4. Input the information we provided.
a. In the Service provider details window, enter an ACS URL, Entity ID, and Start URL provided to you by us.
Note: The ACS URL has to start with https://
Note: The Signed response box can be left unchecked.
b. The default Name ID is the primary email. Multi-value input is not supported.
Tip: Check the setup articles in the Google SAML app catalog for any Name ID mappings required for apps in the catalog. If needed you can also create custom attributes, either in the Admin console or via Google Admin SDK APIs, and map to those. Custom attributes need to be created prior to setting up your SAML app.
c. Click Continue.
5. Input Attribute mapping information.
a. (Optional) On the Attribute mapping page, click Add another mapping to map additional attributes.
Note: You can define a maximum of 1500 attributes over all apps. Because each app has one default attribute, the total number includes the default attribute plus any custom attributes you add.
b. Under Google Directory attributes, click the Select field menu to choose a field name.
Not all Google directory attributes are available in the dropdown list. If an attribute you want to map (for example, Manager's email) is not available, you can add that attribute as a custom attribute, which will make it available here for selection.
c. Under App attributes, enter the corresponding attribute for your custom SAML app.
d. (Optional) If you want to send a user’s group membership information in the SAML response, enter the group names that are relevant for this app in the Group membership field.
Under Google groups, click in the Search for a group entry field.
Type one or more letters of the group name.
Choose the group name from the list.
Add additional groups as needed (total groups cannot exceed 75).
Under App attribute, enter the service provider’s corresponding groups attribute name.
Note: Regardless of how many group names you enter, the SAML response will only include groups that a user is a member of (directly or indirectly). For more information, see About group membership mapping.
e. Click Finish.
6. Test the SAML app connection.
a. In the Admin console, go to Menu > Apps > Web and mobile apps.
b. Select your SAML app.
c. Click User access.
d. To turn on or off a service for everyone in your organization, click On for everyone or Off for everyone, and then click Save.
e. (Optional) To turn a service on or off for an organizational unit:
At the left, select the organizational unit.
To change the Service status, select On or Off.
Choose one:
If the Service status is set to Inherited and you want to keep the updated setting, even if the parent setting changes, click Override.
If the Service status is set to Overridden, either click Inherit to revert to the same setting as its parent, or click Save to keep the new setting, even if the parent setting changes.
Note: Learn more about organizational structure.
To turn on a service for a set of users across or within organizational units, select an access group. For details, go to turn on a service for a group.
Ensure that the email addresses your users use to sign in to the SAML app match the email addresses they use to sign in to your Google domain.
Changes can take up to 24 hours but typically happen more quickly.
And that's it! As an added resource, you could also check out this Google support page for how to create a custom SAML app.
Questions? Send us an 📩 at hello@pr.co