Set up single sign-on with SAML and Google Workspace
You can use single sign-on in Timetastic using Google Workspace (previously known as G Suite) as your identity provider.
Note: auto-provisioning is not supported by Timetastic.
Step 1. Google setup
Start by logging into your Google Admin Console. Select the option to 'Setup my own custom app'.
Google shows the details you'll need to enter into Timetastic: SSO URL, Entity ID, and will allow you to download the Certificate (as a file with a .pem extension).
Copy the URL's and download the certificate (.pem file) which you'll need shortly.
In the Application Name enter 'Timetastic' and upload our logos to make it easy for your users to identify Timetastic within Google.
(You can download our icons at the very bottom of this article.)
Next, you'll need to grab some security details from your Timetastic account:
- In Timetastic, head to SETTINGS > SECURITY then 'Set up SAML single sign-on'.
- Click 'How to configure your Identity Provider' link to bring up your settings.
- Copy the Assertion Consumer Service URL and paste it into the 'ACS URL' field in Google.
- Copy the Entity ID or Audience URI and paste it into the 'EntityID' field in Google.
- Leave 'Signed Response' unticked.
- Make sure 'Primary Email' is selected for 'Name ID', assuming this will match the email address of the user in Timetastic.
- Click 'Finish' to complete the set up.
Granting user access
You'll need to give your users access to the Timetastic app you've just created.
Click the drop down arrow to grant access to your users as needed.
Step 2. Timetastic setup
Now it's time to head over to Timetastic. Go to SETTINGS > SECURITY. Click the 'Set up SAML single sign-on' link.
Grab those SSO details from Google and in the 'SAML SSO URL' field, paste the 'SSO URL' valuefrom Google.
For 'Issuer entity ID', paste the 'Entity ID' value from Google.
For 'Public certificate', open the '.pem file' that you downloaded earlier and copy all the text. (make sure you include "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----").
You can turn 'Force authentication' on, if you want users to have to re-enter their identity providers details. (This will only work if the identity providers also support this option)
To customise the Sign-in button, enter something useful, such as 'Google' against 'Customisation'.
We'd recommend you test SSO is working correctly before making it Mandatory.
Once you're happy with your settings, click 'Save Changes', then you're good to go!