How to set up Single Sign-On with Google G Suite (formerly Apps for Business )
Targetprocess supports most of the SAML 2.0 compatible providers including OneLogin, Okta, Bitium, ADFS 2.0 and Google G Suite.
Integrating with the Google Apps domain involves the following steps:
- Adding Targetprocess as a SAML application in the Google Apps admin console
- Additional SSO configuration in Targetprocess
- Enabling SSO application in Google
- Testing SSO in Targetprocess
A general guide provided by Google can be found here: SAML-based Federated SSO .
Detailed steps are provided below.
1. Adding Targetprocess as SAML application in the Google Apps admin console
Log in to your Google Admin account, go to Apps > SAML apps and then click Add a service/App to your domain link, or click the plus (+) icon in the bottom corner.
- Select "Setup my own custom app".
- Copy the "SSO URL" field, paste it to corresponding "Sign-On URL" field in Targetprocess's Single Sign-On settings, then click "Next".
- On the same screen, click "Download" for "Certificate", then copy and paste the downloaded file's contents into the corresponding "Certificate" field in Targetprocess's Single Sign-On settings.
- On the next screen, set application name (e.g. “Targetprocess3”), upload a logo (link will be added later) and click “Next” to proceed to the SAML settings.
Now you need ”ACS URL" for Google. In Targetprocess, it's called “Assertion Consumer URL” and can be found at Settings > Authentication and Security > Single Sign-On.
Copy the URL (e.g. https://your_account.tpondemand.com/api/sso/saml2) and paste it into the “ACS URL” field in Google settings.
Use your root Targetprocess URL (e.g. https://company.tpondemand.com/) for the “Entity ID” field. Make sure there's "/" at the end of the URL to avoid possible errors.
- For the "Name ID" fields, select "Basic Information" and "Primary Email."
- For the "Name ID Format" field, select "EMAIL" and click "Next."
- Don't add any mappings for the next step; just click "Finish".
2. Additional SSO configuration in Targetprocess
Now that we have configured the main settings, you can enable JIT Provisioning, disable the native Targetprocess login form, or add users to the SSO exceptions list if needed. More information about these settings can be found in “Single Sign-On in Targetprocess” guide.
Targetprocess settings overview:
3. Enabling SSO application in Google
Select your SAML app, click the three dots icon at the top of the gray box, and choose:
- On for everyone (default) to turn on the service for all users (click again to confirm).
- Off to turn off the service for all users (click again to confirm).
- On for some organizations to change the setting for only some users.
4. Testing SSO in Targetprocess
- Log out of Targetprocess (click on your avatar picture and choose “Logout”).
- Open your Targetprocess URL in your browser - https://YOUR_ACCOUNT.tpondemand.com/
Now, two scenarios are possible:
- If you have disabled the Targetprocess login form, the browser will redirect you to the Google sign-in page and then to the Targetprocess UI.
- If you have mixed mode enabled, you’ll have to to click “Log in using Single sign-on” on the Targetprocess login page.
The most common problem with SSO:
Error 404 Not found - this means an incorrect URL was entered either in Targetprocess's SSO settings or in the Google application settings. Please double-check your settings in the Google SAML App and in Targetprocess to make sure all URLs are correct.
Other problems are less common and we'd recommend you to check details on the error page or look into the Targetprocess System log.
Still have a question?
We're here to help! Just contact our friendly support team