Skip to main content

Google Workspace and Nebula single sign-on configuration

Updated: 

The following instructions assist the Identity Provider administrator with the setup of single sign-on (SSO) for Nebula with Google Workspace. Nebula only supports SAML 2.0 authentication protocol. 

Get started

  • The email address used for the Nebula account must match the email address used for Google Workspace.
  • Log in to Nebula and go to Configure Single Sign-on.
  • Log in to your Google Workspace Administrator portal and go to the Admin > Applications page.

Add the application in Google Workspace

  1. In your Google Admin console, go to Menu, then Apps > Web and mobile apps.
  2. Click Add App > Add custom SAML app
  3. Enter the app name and optionally upload an app icon.
  4. Click Continue.

Setup Google Workspace SAML Settings

Google Workspace supports only one callback URL at a time, meaning that either Service Provider (SP) initiated or Identity Provider (IdP) initiated can be used, but not both simultaneously.

With SP initiated login, users enter their email address on the Nebula login page and are then automatically redirected for authentication. In contrast, IdP initiated login allows users to click on their Nebula tile within Google Workspace to access and log into Nebula directly.

  1. In the Nebula Single Sign-On page, copy the Assertion Consumer Service URL.
  2. Paste the copied URL into the ACS URL field in Google.
    • Note: To use SP initiated SSO, remove /acs from the URL. 
  3. In Nebula, copy the Service Provider Entity ID URL.
  4. Paste the copied URL into the Entity ID field in Google.
  5. For extra security, enable or disable the Signed response checkbox:
    • Enabled: The entire SAML authentication response must be signed.
    • Disabled: Only the assertion within the response is signed.
  6. Set the Name ID format and value for your custom SAML app.
    • Name ID Format: Email
    • Name ID: Basic Information > Primary Email.
  7. Click Continue.
  8. Map the user attributes based on the service provider's requirements.
    • Google Directory attributes: Primary Email
    • App Attributes: user.mail
  9. Click Finish.

Upload Google Workspace SSO XML file into Nebula

  1. Right-click Identity Provider metadata and select Save link as... to download the metadata.xml file in Google Workspace.
  2. Name the file > click Save.
  3. On the Nebula Single Sign-On page, have a Nebula Super admin drag the .xml file or Choose a Different File to upload the Identity Provider (iDP) Metadata.

Enable SSO

  1. Once the metadata is uploaded, toggle on Enable SSO.
  2. Toggle on Just-In-Time (JIT) Provisioning to automatically create Nebula users if they don't already exist when authenticating through Google Workspace.
  3. To use SP Initiated SSO, toggle on Service Provider Initiated SSO. Remember to remove /acs from the ACS URL in Google.
  4. Now the application can be assigned to your Nebula administrators in Google Workspace. For more information, see Turn on your SAML app

Still have questions?

Support is available via chat, phone or by creating a ticket. You can also use our virtual assistant for guided assistance.

Learn more