Google Workspace SAML Authentication (SSO)

Owned by Robert Lenk
Last updated: Jun 18, 2024
4 min read

About Google Workspace (formerly G Suite) SAML Authentication

Google Workspace users may be granted access to Campus Cafe using their Google Workspace credentials by configuring a Google Security Assertion Markup Language (SAML) connection.

The authentication works by checking if the logged in Google Workspace user has an account in Campus Cafe where the Campus Cafe username is the user's primary Google Workspace email. The Google Workspace user must also belong to a Google Workspace organizational unit that allows access to the Campus Cafe SAML app.

Configure Google Workspace SAML

  1. Log in to Google Admin

  2. Click the Apps tile

    GoogleApps.png

  3. Click the Web and mobile apps tile

    GoogleWebandMobileApps.png

  4. Click Add App > Add custom SAML app

  5. For the App name enter the name of the App as you want it shown to G Workspace users in the App drawer. For these instructions, we have named it Campus Cafe.

  6. Click Continue; Do not leave the screen

  7. Click Download Metadata

  8. Retain the file and send the file to Campus Cafe Support

  9. Click Continue

  10. Enter Service provider details as follows:
    ACS URL: https://***-web.scansoftware.com/Shibboleth.sso/SAML2/POST where *** is your school code
    Entity ID: https://***-web.scansoftware.com/shibboleth where *** is your school code
    Start URL: https://***-web.scansoftware.com/cafeweb/loginsso where *** is your school code
    Signed response: Check this box

  11. Enter the Name ID details as follows:
    Name ID format: EMAIL
    Name ID: Basic Information>Primary email

  12. Click Continue

  13. Click Finish

Turn on User Access

Google Workspace allows users to be segregated into organizational units, which control access to various Google functions and apps. Campus Cafe must be turned on for the organization(s) permitted to access Campus Cafe.

  1. Log in to Google Admin

  2. Click the Apps tile

  3. Click the Web and mobile apps tile

  4. Click the app you just created 

  5. In the upper right of the User access tile click the down arrow

  6. On the left click the organizational unit to provide access

  7. Click ON

  8. Click Override. Changes may take 24 hours to propagate to all users.

Configure Campus Cafe Users

The Google Workspace user must have a corresponding account in Campus Cafe. There are two ways to configure usernames in Campus Cafe.

  1. The Campus Cafe username must be the Google Workspace user's primary email  including the domain. (For example, taylor.swift@myschool.edu). Leave the domain box empty. 
    OR

  2. The Campus Cafe username must be the Google Workspace user's primary email address excluding the domain. (For example, taylor.swift@myschool.edu would be simply taylor.swift). In the Domain box enter the domain without the @ symbol. (For example, myschool.edu)

 Campus Cafe recommends the Campus Cafe Password field be left empty.

In Campus Cafe on the user screen the Account Disabled checkbox will not be respected. Instead, disable the user's access in Google Workspace.

In Campus Cafe on the user screen the Require Password Change checkbox will not be respected. Instead, require a password change on the user's Google Workspace record.

The functional access granted in Campus Cafe depends on the Campus Cafe permission group to which the user belongs.  

Configure Error Message for User Note in Campus Cafe

If a user belongs to a Google organization that has access to Campus Cafe, the user will see a link to Campus Cafe in his or her Google App Launcher (the nine dots in the upper right). If the Google user does not have an account in Campus Cafe, an error will be displayed. 

To customize the error message:

  1. Navigate to Admin > Adjustable Text

  2. Locate LOGINSSO_ERROR

  3. Click the pencil next to LOGINSSO_ERROR 

  4. In the Value box (the large box) enter the error message to display to a user (e.g. You do not have access to Campus Cafe. Contact IT Support at 555-5555 for assistance.)

  5. Click Save

  6. Refresh the cache by navigating to Admin > Refresh Data Cache

Configure Campus Cafe Logout Button Behavior

By default, clicking the logout button in Campus Café does not end the SSO session. With the SSO session still active, a user will be able to access Campus Café without logging in.

Configure Campus Café logout button to end SSO session

  1. Navigate to Admin > Web App

  2. Locate parameter LOGOUT_SSO_URL

  3. In the Value box enter https://***-web.scansoftware.com/Shibboleth.sso/Logout?return=https://www.google.com/accounts/Logout replacing *** with your school code

  4. Click Save

Time Out Behavior

By default, Campus Café signs out a user after 30 minutes of inactivity. (This may be extended by contacting Campus Café support.) However, the user’s SSO session will remain active for as long as configured through the SSO. If the SSO session is still active, the user can access Campus Café without logging in. Essentially, the SSO time out setting takes precedence over the Campus Café time out.

Accessing Campus Cafe

Once SSO and users are configured, users can access Campus Cafe by through the Google App Launcher (nine dots) by clicking Campus Cafe.