WorkspacesSingle-Sign OnGoogle Workspace

Configure SSO with Google Workspace

Pipedream supports Single Sign-On (SSO) with Google Workspace. This guide shows you how to configure SSO in Pipedream to authenticate with your Google org.

Requirements

Configuration

To configure SSO in Pipedream, you need to set up a SAML application in Google Workspace. If you’re a Google Workspace admin, you’re all set. Otherwise, coordinate with a Google Workspace admin before you continue.

Find Web and Mobile apps in Google Workspace

In your Google Workspace admin console, select Apps > Web and Mobile apps


Create a new SAML app in Google Workspace

Add a custom SAML app

In the Add app menu, select the option to Add custom SAML app:


Add app > Add custom SAML app

Configure the app

First, add Pipedream as the app name, and an app description that makes sense for your organization:


App name + description

Continue past the configuration step


App name + description

Configure the Service provider details

In the Service provider details, provide the following values:

  • ACS URLhttps://api.pipedream.com/auth/saml/consume
  • Entity ID — Pipedream
  • Start URLhttps://api.pipedream.com/auth/saml/<your workspace name>

replacing <your workspace name> with the workspace name at https://pipedream.com/settings/account. For example, if your workspace name is example-workspace, your start URL will be https://api.pipedream.com/auth/saml/example-workspace.


SAML settings for Google Workspace

In the Name ID section, provide these values:

  • Name ID formatEMAIL
  • Name ID — Basic Information > Primary email

then press Continue.


SAML settings for Google Workspace

Configure the Attribute mapping

Once the app is configured, visit the User access section to add Google Workspace users to your Pipedream SAML app. See step 14 of the Google Workspace SAML docs for more detail.

Download and host the SAML metadata

Pipedream requires access to SAML metadata at a publicly-accessible URL. This communicates public metadata about the identity provider (Google Workspace) that Pipedream can use to configure the SAML setup in Pipedream.

First, click the Download Metadata button on the left of the app configuration page:


Download Metadata

Host this file on a public web server where Pipedream can access it via URL, for example: https://example.com/metadata.xml. You’ll use that URL in the next step.

Visit your workspace’s authentication settings

In Pipedream, visit your workspace’s authentication settings.

Add the SAML metadata URL

In the Single Sign-On section, select SAML, and add the URL from step 7 above in the Metadata URL field, then click Save.


Pipedream SAML Metadata URL

Any user in your workspace can now log into Pipedream at https://pipedream.com/auth/sso by entering your workspaces’s name (found in your Settings). You can also access your SSO sign in URL directly by visiting https://pipedream.com/auth/org/your-workspace-name, where your-workspace-name is the name of your workspace.

Important details

Before you configure the application in Google, make sure all your users have matching email addresses for their Pipedream user profile and their Google Workspace profile. Once SSO is enabled, they will not be able to change their Pipedream email address.

If a user’s Pipedream email does not match the email in their Google profile, they will not be able to log in.

If existing users signed up for Pipedream using an email and password, they will no longer be able to do so. They will only be able to sign in using SSO.