GSuite and SAML 2.0

Setting up Zeplin with Google GSuite's SAML Single Sign-On

Rian avatar
Written by Rian
Updated over a week ago

Google GSuite is a collection of tools and products that includes a SAML-basedAuthentication component.  Zeplin SAML SSO is confirmed to work with GSuite (SAML).

☝️ This feature is only available to teams on the Enterprise Plan.

Before you begin

GSuite does not process metadata files, which is how we supply the Zeplin configuration values needed by GSuite. Contact us at success@zeplin.io to have us manually generate and supply your specific SSO URL and SP EntityID.

Configuration

In GSuite:

  • Select Apps > SAML apps from the main menu

  • Click the ( + ) at the bottom of the page to add a new application, and select SETUP MY OWN CUSTOM APP 

  • In the popup screen are the values you need for Zeplin. Don't click NEXT just yet.

In Zeplin:

  • From the Organization Dashboard, click the settings button on the top right to access Settings, and select the AUTHENTICATION tab

  • In the SAML 2.0 section, click on the “Enable” button

  • In the Zeplin popup:
      - Copy the string from the GSuite field SSO URL into the Zeplin field IdP SAML 2.0 Endpoint
      - Copy the string from the GSuite field Entity ID into the Zeplin field IDP Issuer
      -
    Copy the contents of the file in the GSuite field Certificate into the Zeplin field IdP Public Certificate

  • Click on the “Enable” button

Back in GSuite:

  • Click the “NEXT” button

  • Give this Application a name, and click the “NEXT” button

  • In the GSuite popup:
      - Enter the SSO URL we gave you into into the GSuite field ACS URL
      - Enter the SP EntityID we have you into the GSuite field Entity ID

  • Click the “NEXT” button, then click “ADD NEW MAPPING” to add a new attribute:
      - Name:  email
      -
    Category:  Basic Information
      -
    User field:  Primary Email

  • Click the “FINISH” button

Confirm everything works!

Go to the Zeplin login page, and click the link that says Login with SSO (or go directly to https://app.zeplin.io/login/sso). Enter the email address of an existing Zeplin user. You should redirect to your GSuite IdP to authenticate, then back to that user's Project page.

Your company's identity management policies may require you to first assign this application to your users. Usually, this is via an existing Idaptive user group that will need to be assigned to the Application. Select Core Services > Roles, and view a group's Assigned Applications. Select the appropriate group, and assign the Zeplin application and specific users if required.

Extra information for GSuite users

  • When it is confirmed users can log in with SAML, you can restrict login to be via via SAML only for all users by selecting this option from the AUTHENTICATION tab in Zeplin. For safety, the Owner will still be able to log in using their username/password after this option is set.

  • GSuite does not send the session duration value in its SAML assertion. Zeplin will expire and attempt session re-authentication at the duration chosen in the Zeplin setting Session Timeout, on the AUTHENTICATION tab in Zeplin’s Organization settings. The default value is to never log out the user.

  • GSuite can can sign either the Assertion or Response. Zeplin will enforce a valid signature against the GSuite-generated IdP Public Certificate.

  • GSuite does not support encrypting the Assertion. Zeplin will accept unencrypted assertions.

Did this answer your question?