Google Workspace SAML integration
Google Workspace SAML integration
Google Workspace serving as an Identity Provider (IDP) can provide your users with single sign-on (SSO) access via Security Assertion Markup Language 2.0 Standard (SAML) to our Recorder and Video Editor under your team plan. When Team users first authenticate via SAML and you have configured SAML to create users, we set up their dedicated hosting account as part of the Team Plan.
This article describes how to configure SAML SSO with Google Workspace serving as the IDP.
Prerequisites
- Your organization must be using Google Workspace
- You will need administrative permissions for Google Workspace
- You must be using a ScreenPal Team Plan
- You will need administrative permissions for your Team Plan
Configure SAML SSO with ScreenPal from the Google Admin
1. Login into Google Workspace as an Administrator.
2. In the Google Admin Console, click the Apps option in the menu and then click Web and mobile apps.
3. At the top of the Web and Mobile apps, click the Add app menu and select Add custom SAML app.
4. Under App details, enter an App name and upload an App icon if you like.
5. Click Continue.
6. Download the IDP Metadata file and save it to your computer by clicking Download Metadata.
7. Click Continue.
The Service provider details tab is displayed.
8. Keep this tab open, as we will return to configure later.
Configure SAML access in ScreenPal Settings
1. Go to ScreenPal and log in as the Team Owner or Admin.
2. Click Settings in the menu on the left
3. From the Settings area, click Authentication.
4. Under SAML Authentication, move the toggle to ON.
Once enabled, you will see the additional settings needed to set up communication between our app and the ADFS identity provider.
5. Download the metadata XML file under SAML Service Provider Info (ScreenPal), and save it on your device for a future step.
6. Under Upload SAML Identity Provider (IDP) Metadata File, click Choose File and upload the Google IDP Metadata file you saved in from Google Admin (step 6 of the previous section).
When the file has been uploaded successfully, you will see a green "Verified" message and the fields in the Current SAML Identity Provider (IdP) Metadata File section will be populated.
Configure an Access URL
Configure an an Access URL if you would like users to automatically be created in ScreenPal when they log in using SAML.
1. In the text box under Access URL, specify a unique access URL.
This URL will be used by your Team the first time they authenticate into ScreenPal. When visiting this URL, the user will be redirected to your organization network login for sign-in or, if they are already logged into your network, they will be automatically signed into our app.
2. Select the checkbox for Create users on ScreenPal using SAML for this Access URL.
The first time a user from your organization logs in via SAML, their hosting account will be set up so they can manage and share content.
Add the Entity ID and ACS URL in Google Admin
1. Go back to the SAML Service Provider Info (ScreenPal) section and copy the Entity ID and ACS URL for use in Google Apps.
2. Return to the Google Admin tab, and paste the ACS URL and Entity ID into their respective fields.
Make sure to leave the default for Name ID set to Basic Information > Primary Email.
3. Click Continue.
4. If you selected Create users on ScreenPal using SAML for this Access URL in ScreenPal, in the Attributes section, click Add Mapping to map First and Last Name for your users. Otherwise, skip this step.
Add the following app attributes:
First Name (Basic Information) -> urn:oid:2.5.4.42
Last Name (Basic Information) -> urn:oid:2.5.4.4
When you're finished, it should look like this:
5. Click Finish.
6. You should see the following screen with the ScreenPal app you just installed.
7. Return to the ScreenPal Authentication settings and click Save Changes at the bottom of the page.
8. Use the Test Login link to verify your current IdP configuration.
- Click the link to open it in a new tab and perform an end-to-end SAML authentication round-trip against the currently saved IdP configuration, using your team's ScreenPal source ID. This is the custom Entity ID if you set one. If you did not, the default ID is used.
- Click the clipboard icon next to the Test Login link to copy the URL. You can send this URL to any team member who is having trouble logging in so they can test the the SAML authentication and forward the results to a Team Admin or support person.
Note: The Test Login link is not displayed when SAML is disabled, you have unsaved changes on the Authentication page, your IdP certificate has expired, or the Entity ID is still in the temporary test verification state when there is newly uploaded metadata that has not yet been confirmed.For more information about how the Test Login link works and how to read the output data that is displayed after your test login, please see our SAML Test Login output data article.
That's it! Now, when your users land on the team access page they will be prompted to login via Google SSO.
Frequently Asked Questions
Q: Are first and last names required to set up SAML authentication with ScreenPal? Can we just use the Name ID?
A: First and Last Name are required, as SAML requires setting up a user within the ScreenPal system.
Q: How do I get the First and Last Name (or the Given Name and Surname) to autopopulate?
A: If a user's name is not automatically populating as expected, you need to ensure that SAML claims sent by Microsoft Entra are using the correct attributes for the account identifier. More information about these attributes and the order in which ScreenPal processes them can be found in our article titled Configure SAML to resolve unexpected name display
Q: How often are user credentials revalidated?
A: SAML enabled, users will be required to log in again after one month of usage.
Related Articles
Set up our app with ADFS SSO (SAML) for your organization
Set up our app with ADFS SSO (SAML) for your organization Active Directory Federation Services (ADFS) can provide your users with single sign-on (SSO) access via Security Assertion Markup Language 2.0 Standard (SAML) to your Team Plan. When Team ...Use the SAML Test Login and output data
When you configure ScreenPal user access using SAML for a Team Plan, after you upload a valid IdP metadata file, you can test the SAML authentication using the Test Login link. This link is displayed in the Authentication area of Settings in the ...Team Business Plans: Getting Started for Team Owners and Admins
New to a ScreenPal Team Plan? Start here for a beginner-friendly guide to setting up your plan and helping your team members be successful with ScreenPal. Use this checklist to get started: ☑️ Add users Begin by adding users to your Team Plan. You ...Team Education Plans: Getting Started for Team Owners and Admins
New to a ScreenPal Team Education Plan? Start here for a beginner-friendly guide to setting up your plan and helping your team members be successful with ScreenPal. Use this checklist to get started: ☑️ Add users Begin by adding users to your Team ...Access ScreenPal as the member of a Team Plan
If your organization has a Team Plan, your Team Admin will send you an email invitation or a sign-up link to enable you to join as a team user. Contact your Team Admin if you have questions about how to join your Team Plan - ScreenPal cannot send you ...