Set up SAML single sign-on (SSO) with Google

Human Managed uses Okta as our identity provider (IDP) to deliver authenticated user profile data to downstream applications. 

This article covers how to set up SAML-based single sign-on (SSO) on Google to give your users access to Human Managed. When you integrate Google with Human Managed's Okta app, you can: 

• Enable your users to be authenticated for Human Managed apps with their Google accounts 
• Manage your member accounts from the Okta enterprise app in Google
• Reduce administrative effort such as password creation 
  
  

Before you begin

You need the following to integrate Google with Okta: 

• Okta Developer Edition organization
• An OpenID Connect (OIDC) app integration in Okta for the app that you want to add authentication to. You can create a new OIDC app integration or use an existing one.
• An account with Google

Step 1: Create a service request ticket to set up SAML SSO 

1. Submit a request 
2. In the Subject, type or select Enable SAML SSO with Google 

Step 2: Create the Okta enterprise app in Google 

At Google, create the client application that you want to use for authenticating and authorizing your users. 

1. Make sure that you can access the Google Developers Console .

2. Create a Google project using these instructions .

3. In the Authorized redirect URIs section of the creation wizard, click ADD URI to add the Okta redirect URI for your app integration.

4. Paste your redirect URI into the text box.

   The redirect URI is the location where the Identity Provider (IdP) sends the authentication response (the access token and the ID token). The URI sent in the authorize request from the client needs to match the redirect URI set at the IdP. The URI needs to be located in a secure domain that you own. This URI has the same structure for most Identity Providers in Okta and is constructed using your Okta subdomain and the callback endpoint.

   For example, if your Okta subdomain is called company, then the URL would be: https://company.okta.com/oauth2/v1/authorize/callback. If you have configured a custom domain in your Okta Org, use that value to construct your redirect URI, such as https://login.company.com/oauth2/v1/authorize/callback.

   Include all base domains (Okta domain and custom domain) that your users will interact with in the allowed redirect URI list.

5. Save the generated Client ID and Client Secret values so that you can add them to your Okta configuration.

Note: There may be additional settings on the Google Developers Console site that you can configure for your application. The steps in this guide address the quickest route to setting up Google as an Identity Provider with Okta. See the Google documentation for more information on additional configuration settings.

Step 3: Test the Google integration 

When Human Managed completes the integration with your Google, you will receive a notification that the service request has been fulfilled by Human Managed. 

Now, you can test the integration to confirm that Google can communicate with Human Managed's Okta. 

1. Open the HMapps portal (https://identity.hm.works/).
2. Sign in using your Google account 
   
3. If successful, the Human Managed Apps (HMApps) Dashboard appears with all applications you have access to. If applications have not been assigned, no applications appear on the dashboard.
   
4. The service request is fulfilled and will auto-close when there is no more questions or communication from you. 

What to expect after SSO is enabled

Any members already signed in when SSO is enabled will remain signed in. Going forward, all members will sign up and sign in to Human Managed with their IDP account. If you chose to require SSO, your members will see a sign in page before they can access any of the subscribed Human Managed applications.