Google SAML SSO

Learn how to create a Google SAML application for Doppler SSO.

Requirements

1. Initial Doppler SAML SSO Configuration

Go to the Doppler dashboard and from the menu click Team, then select the Roles tab from the top menu. Choose the Default Roles for users who login via SSO.

πŸ“˜

The Workplace Role controls the initial permissions a user will receive when their account is created. We recommend keeping it at Collaborator access to follow the principle of least privilege. The Project Role is the role granted to a user when they're added to a project, so set this to the role most commonly used. Users with the Owner role can adjust these after the user has logged in once. If you scroll down further on the Roles page, you'll see a breakdown of what permissions each Role has.

Screenshot of Team section in Doppler UI

After setting the Default Roles, we need to enable SAML SSO in Doppler to get access to the URLs needed to configure the third party SAML SSO application.

Select the SSO tab from the top menu and scroll down to the SAML Single Sign-On section. Click the Add SAML button.

Screenshot of Doppler UI showing Add SAML button

Next, choose a verified domain from the dropdown menu and click Save.

Screenshot of modal in Doppler UI to create SAML SSO connection

πŸ“˜

SAML SSO configuration requires having a domain associated with it because users login using their email address and the domain of that address is mapped back to your SAML SSO login. Verification is required when you add the domain to your account to confirm your ownership of the domain.

The domain you selected should show up now in the Inactive state. Click on the three dot menu and choose the Edit option.

Screenshot of Doppler UI showing edit option in dropdown menu

Copy the ACS URL and Entity ID URLs in the edit drawer that appears for use when configuring the third party SAML SSO application.

Screenshot of modal in Doppler UI showing configuration of SAML connection

2. Create Google SAML Application

Open the Google admin console, then select Apps > Web and mobile apps.

Google Workspace Admin Console showing the setup process for configuring SAML Single Sign-On (SSO) with Doppler.

From the Add App menu, select Add custom SAML app.

Google Admin Console interface with 'Add App' options for configuring a custom SAML application for Doppler integration.

Name the application and set the icon for the application using the below image, then click Save.

Google Admin Console showing 'App Details' screen with fields for application name and description while setting up SAML with Doppler.

Click the Download Metadata button and click Continue.

Google Admin Console showing 'Download Metadata' screen while setting up SAML with Doppler.

You'll use the GoogleIDPMetadata.xml file when configuring Doppler in a later step.

Use the ACS URL and Entity ID URLs you copied from the Doppler SAML configuration page in Step 1 above to continue configuring the Google SAML application:

Google Admin Console displaying the 'Service Provider Details' form for adding ACS URL, Entity ID, and other SAML configuration details for Doppler.

On the same page in the Name ID section, select Email for the Name ID format and set the Name ID field to Basic Information > Primary email.

Then click Continue.

Google Admin Console displaying the 'Service Provider Details' form for adding ACS URL, Entity ID, and other SAML configuration details for Doppler.

On the Attribute mapping form, add first_name and last_name attributes, then click Finish to complete the app creation process.

Google Admin Console displaying 'Attribute Mapping' configuration for defining user attributes to be passed to Doppler via SAML SSO.

3. Update Doppler SAML SSO Configuration

Navigate to the Doppler Team page and click on the SSO tab.

Scroll down to the SAML Single Sign-On section, click on the three dot menu, and choose the Edit option. Paste in the IDP XML metadata, check the Enabled field, then click the Save button.

Screenshot of Doppler UI for SAML configuration modal

Testing

As a Google Apps administrator, it's presumed you'll know how to sufficiently test a new SAML application, but here is a general guide.

πŸ“˜

Test sign-in flow using incognito window

Remain signed in to the Doppler dashboard until you've verified the SAML sign-in flow from an incognito window. This will enable you to update or disable SAML SSO in the event of misconfiguration.

Grant a test user access to the Doppler application using the User access section.

Google Admin Console showing the process of assigning users or groups to the Doppler SAML application for SSO access.

πŸ“˜

Limiting User Access to Groups

Although the front and center option to enable an application is a binary ON or OFF for everyone, Google does allow you to limit user access by groups. This is discussed here.

Once a test user has been granted access, open an incognito window and sign in as the test user.

Click on the Apps icon and scroll until you see the Doppler app, then click to initiate the sign-in process.

Google Workspace login screen demonstrating successful SSO login to Doppler using Google SAML configuration.

You should then be redirected to the Doppler dashboard.

Once you've verified the sign-in process is working correctly, you can apply your standard organization policies for application access via groups, org units, or availability for all users.

Troubleshooting

Here are some general troubleshooting tips:

  • Double-check that the ACS URL and Entity ID values match.
  • Ensure that the first_name and last_name custom attributes have been added.
  • Check that the SAML XML metadata in Doppler is matches that from the application.

If you're still running into issues, the error page should present you with a requestId value that can be used by our support team for further diagnosis.

πŸ‘

Awesome work!

Your Google SAML application is now ready to go!