The following instructions assist the Identity Provider administrator with the setup of single sign-on (SSO) for Nebula with Google Workspace. Nebula only supports SAML 2.0 authentication protocol.
Get started
- The email address used for the Nebula account must match the email address used for Google Workspace.
- Log in to Nebula and go to Configure > Single Sign-on.
- Log in to your Google Workspace Administrator portal and go to the Admin > Applications page.
Add the application in Google Workspace
- In your Google Admin console, go to Menu, then Apps > Web and mobile apps.
- Click Add App > Add custom SAML app.
- Enter the app name and optionally upload an app icon.
- Click Continue.
Setup Google Workspace SAML Settings
- In the Nebula Single Sign-On page, copy the Solicted Whitelist URL.
- Paste the copied URL into the ACS URL field in Google.
- In Nebula, copy the Service Provider Entity ID URL.
- Paste the copied URL into the Entity ID field in Google.
- In Nebula, copy the Assertion Consumer Service URL
- Paste the copied URL into the Start URL field in Google.
- For extra security, enable or disable the Signed response checkbox:
- Enabled: The entire SAML authentication response must be signed.
- Disabled: Only the assertion within the response is signed.
- Set the Name ID format and value for your custom SAML app.
- Name ID Format: Email
- Name ID: Basic Information > Primary Email.
- Click Continue.
- Map the user attributes based on the service provider's requirements.
- Google Directory attributes: Primary Email
- App Attributes: user.mail
- Click Finish.
Upload Google Workspace SSO XML file into Nebula
- Right-click Identity Provider metadata and select Save link as... to download the metadata.xml file in Google Workspace.
- Name the file > click Save.
- On the Nebula Single Sign-On page, have a Nebula Super admin drag the .xml file or Choose a Different File to upload the Identity Provider (iDP) Metadata.
Enable SSO
- Once the metadata is uploaded, toggle on Enable SSO.
- Toggle on Just-In-Time (JIT) Provisioning to automatically create Nebula users if they don't already exist when authenticating through Google Workspace.
- Toggle on Service Provider Initiated SSO.
- Now the application can be assigned to your Nebula administrators in Google Workspace. For more information, see Turn on your SAML app.