- Domain Verified (Settings page)
- Google Suite Admin access
Go to the Doppler dashboard and from the menu click Team, then select the Settings tab from the top menu. Choose the Default Roles for users who login via SSO.
The Role controls the initial permissions a user will receive when their account is created. We recommend keeping it at Collaborator access to follow the principle of least privilege. Users with the Owner role can adjust this after the user has logged in once. If you scroll down further on the Settings page, you'll see a breakdown of what permissions each Role has.
After setting the Default Roles, we need to enable SAML SSO in Doppler to get access to the URLs needed to configure the Google SAML SSO application.
Select the SSO tab from the top menu and scroll down to the SAML Single Sign-On section. Click the + button in the corner and choose a verified domain from the Domain Domain dropdown menu and then click Save.
Copy the ACS URL and Entity ID URLs to use when configuring the Google SAML SSO application.
Open the Google admin console, then select Apps > Web and mobile apps.
From the Add App menu, select Add custom SAML app.
Name the application and set the icon for the application using the below image, then click Save.
Click the Download Metadata button and click Continue.
You'll use the GoogleIDPMetadata.xml file when configuring Doppler in a later step.
Use the ACS URL and Entity ID URLs you copied from the Doppler SAML configuration page in Step 1 above to continue configuring the Google SAML application:
On the same page in the Name ID section, select
Basic Information > Primary email.
Then click Continue.
On the Attribute mapping form, add first_name and last_name attributes, then click Finish to complete the app creation process.
In a separate tab, navigate to the Doppler Team page and click on the SSO tab.
Scroll to the SAML Single Sign-On form and paste in the XML metadata. Check the Enable field, then click the Save button.
As a Google Apps administrator, it's presumed you'll know how to sufficiently test a new SAML application, but here is a general guide.
Test sign-in flow using incognito window
Remain signed in to the Doppler dashboard until you've verified the SAML sign-in flow from an incognito window. This will enable you to update or disable SAML SSO in the event of misconfiguration.
Grant a test user access to the Doppler application using the User access section.
Limiting User Access to Groups
Although the front and center option to enable an application is a binary ON or OFF for everyone, Google does allow you to limit user access by groups. This is discussed here.
Once a test user has been granted access, open an incognito window and sign in as the test user.
Click on the Apps icon and scroll until you see the Doppler app, then click to initiate the sign-in process.
You should then be redirected to the Doppler dashboard.
Once you've verified the sign-in process is working correctly, you can apply your standard organization policies for application access via groups, org units, or availability for all users.
Here are some general troubleshooting tips:
- Double-check that the ACS URL and Entity ID values match.
- Ensure that the first_name and last_name custom attributes have been added.
- Check that the SAML XML metadata in Doppler is matches that from the application.
If you're still running into issues, the error page should present you with a
requestId value that can be used by our support team for further diagnosis.
Your Google SAML application is now ready to go!
Updated 2 months ago