Integrate with Google (SAML)

Users with the Manage District Settings user permission can set up a SAML integration with Google. This integration creates user accounts as users log in for the first time.

This is a three-step process:

In Google, add a new SAML application.
In IT Asset Manager, configure SAML.
In IT Asset Manager, set default roles for users who log in via Google SAML.

Important: Because of the technical knowledge required, your district's IT administrator will most likely need to perform this procedure.

Step 1: In Google, add a new SAML application

A few things to take note of while setting up the SAML application:

Fields are case sensitive.
You will need the Entity ID (which matches the ACS URL), Google Issuer URL, and certificate information to enter into IT Asset Manager.
Note: Enter https://XXXXX.mlworkorders.com/MLSAMLConnect.aspx in the Entity ID and ACS URL fields. Replace “XXXXX” with your custom IT Asset Manager subdomain.
From the Name ID format field, select PERSISTENT.
From the Name ID, select Basic Information > Primary email.
In Attribute mapping, Google Directory attributes section, you need to match the text exactly as follows:
- Basic Information
  - Primary email -> Email
- Employee Details
  - Employee ID -> ExternalId
- Basic Information
  - First name -> FirstName
- Basic information
  - Last name -> LastName
In Attribute mapping, under Group membership, it is required to put Group in the App attribute field and enter names of the Google groups that can log in via SAML.

Note: Google’s interface and field names may have changed since this was written. Use these steps as a general guide, and select the closest matching options in your Google portal.

Step 2: In IT Asset Manager, configure SAML

Note: A user with the Google super administrator role is required to perform this task.

Select Settings > Single Sign On > SAML Configuration. The SAML Integration Admin page appears.

Next to Google, click . A pop-up appears.

Note: You may see two rows for Google, one with a checkbox in the For Mobile column and one without a checkbox in that column.

To set up the web app, select in the row without the For Mobile checkbox selected.
To set up the mobile app, select in the row with the For Mobile checkbox selected.

Do the following:
1. Under Entity ID, enter the Google Entity ID.
  Note: Enter https://XXXXX.mlworkorders.com/MLSAMLConnect.aspx. Replace “XXXXX” with your custom IT Asset Manager subdomain. This needs to match the ACS URL in the Google Admin Console.
2. Under Issuer, enter your Google issuer URL.
  Note: You can copy the issuer URL from Google Admin Console. In Service Provider Details, click Manage Certificates, copy the Entity ID field and paste it here.
3. To let users sign in with the Google option on the IT Asset Manager login page, enter the Login Link.
  Note: To obtain this, click the Google apps icon (). Right-click the SAML app for IT Asset Manager, click Copy Link Address, and then paste the link.
4. Under Certificate, enter the certificate.
  Notes:
  You download this from Google, then enter it here.
  On the certificate, remove ---Begin Certificate and ---End Certificate.
Click Save.

Step 3: In IT Asset Manager, set default roles for users who log in via Google SAML

Note: You can create as many SAML groups as you want. When a user first logs in, they are assigned a role based on the group they belong to. You can also manage additional roles in IT Asset Manager, but cannot remove these default roles.

Select Admin > Single Sign On > SAML Group Settings. The Manage SAML Groups page appears.
Click +Add SAML Group. A pop-up appears.
Do any of the following:
1. Enter a Group Name.
  Note: This will be the group name established in Google.
2. Select the desired Roles.
3. Select the desired Buildings.
  Note: To select All Buildings, select the checkbox.
4. Select the desired Request Types the group can access.
Click Save.
Repeat steps 2-4 for each group you want to add.