Google GSuite is a collection of tools and products that includes a SAML-basedAuthentication component. Zeplin SAML SSO is confirmed to work with GSuite (SAML).
☝️ This feature is only available to teams on the Enterprise Plan.
Before you begin
GSuite does not process metadata files, which is how we supply the Zeplin configuration values needed by GSuite. Contact us at firstname.lastname@example.org to have us manually generate and supply your specific SSO URL and SP EntityID.
Configure GSuite from the GSiute Admin Console (https://admin.google.com)
Log in to Zeplin (https://app.zeplin.io) as an Owner or Admin for your Zeplin Organization
Select Apps > SAML apps from the main menu
Click the ( + ) at the bottom of the page to add a new application, and select SETUP MY OWN CUSTOM APP
In the popup screen are the values you need for Zeplin. Don't click NEXT just yet.
From the Organization Dashboard, click the settings button on the top right to access Settings, and select the AUTHENTICATION tab
In the SAML 2.0 section, click on the “Enable” button
In the Zeplin popup:
- Copy the string from the GSuite field SSO URL into the Zeplin field IdP SAML 2.0 Endpoint
- Copy the string from the GSuite field Entity ID into the Zeplin field IDP Issuer
- Copy the contents of the file in the GSuite field Certificate into the Zeplin field IdP Public Certificate
Click on the “Enable” button
Back in GSuite:
Click the “NEXT” button
Give this Application a name, and click the “NEXT” button
In the GSuite popup:
- Enter the SSO URL we gave you into into the GSuite field ACS URL
- Enter the SP EntityID we have you into the GSuite field Entity ID
Click the “NEXT” button, then click “ADD NEW MAPPING” to add a new attribute:
- Name: email
- Category: Basic Information
- User field: Primary Email
Click the “FINISH” button
Confirm everything works!
Go to the Zeplin login page, and click the link that says Login with SSO (or go directly to https://app.zeplin.io/login/sso). Enter the email address of an existing Zeplin user. You should redirect to your GSuite IdP to authenticate, then back to that user's Project page.
Your company's identity management policies may require you to first assign this application to your users. Usually, this is via an existing Idaptive user group that will need to be assigned to the Application. Select Core Services > Roles, and view a group's Assigned Applications. Select the appropriate group, and assign the Zeplin application and specific users if required.
Extra information for GSuite users
When it is confirmed users can log in with SAML, you can restrict login to be via via SAML only for all users by selecting this option from the AUTHENTICATION tab in Zeplin. For safety, the Owner will still be able to log in using their username/password after this option is set.
GSuite does not send the session duration value in its SAML assertion. Zeplin will expire and attempt session re-authentication at the duration chosen in the Zeplin setting Session Timeout, on the AUTHENTICATION tab in Zeplin’s Organization settings. The default value is to never log out the user.
GSuite can can sign either the Assertion or Response. Zeplin will enforce a valid signature against the GSuite-generated IdP Public Certificate.
GSuite does not support encrypting the Assertion. Zeplin will accept unencrypted assertions.