Configure SSO with Google Workspace
Pipedream supports Single Sign-On (SSO) with Google Workspace. This guide shows you how to configure SSO in Pipedream to authenticate with your Google org.
Requirements
- SSO is only supported for workspaces on the Business plan. Visit the Pipedream pricing page to upgrade.
- You need an administrator of your Pipedream workspace and someone who can create SAML apps in Google Workspace to configure SSO.
Configuration
To configure SSO in Pipedream, you need to set up a SAML application in Google Workspace. If you're a Google Workspace admin, you're all set. Otherwise, coordinate with a Google Workspace admin before you continue.
Find Web and Mobile apps in Google Workspace
In your Google Workspace admin console, select Apps > Web and Mobile apps
Add a custom SAML app
In the Add app menu, select the option to Add custom SAML app:
Configure the app
First, add Pipedream as the app name, and an app description that makes sense for your organization:
Continue past the configuration step
Configure the Service provider details
In the Service provider details, provide the following values:
- ACS URL —
https://api.pipedream.com/auth/saml/consume - Entity ID — Pipedream
- Start URL —
https://api.pipedream.com/auth/saml/<your workspace name>
replacing <your workspace name> with the workspace name at https://pipedream.com/settings/account. For example, if your workspace name is example-workspace, your start URL will be https://api.pipedream.com/auth/saml/example-workspace.
In the Name ID section, provide these values:
- Name ID format —
EMAIL - Name ID — Basic Information > Primary email
then press Continue.
Configure the Attribute mapping
Once the app is configured, visit the User access section to add Google Workspace users to your Pipedream SAML app. See step 14 of the Google Workspace SAML docs for more detail.
Download and host the SAML metadata
Pipedream requires access to SAML metadata at a publicly-accessible URL. This communicates public metadata about the identity provider (Google Workspace) that Pipedream can use to configure the SAML setup in Pipedream.
First, click the Download Metadata button on the left of the app configuration page:
Host this file on a public web server where Pipedream can access it via URL, for example: https://example.com/metadata.xml. You'll use that URL in the next step.
Visit your workspace's authentication settings
In Pipedream, visit your workspace's authentication settings.
Add the SAML metadata URL
In the Single Sign-On section, select SAML, and add the URL from step 7 above in the Metadata URL field, then click Save.
Any user in your workspace can now log into Pipedream at https://pipedream.com/auth/sso by entering your workspaces's name (found in your Settings). You can also access your SSO sign in URL directly by visiting https://pipedream.com/auth/org/your-workspace-name, where your-workspace-name is the name of your workspace.
Important details
Before you configure the application in Google, make sure all your users have matching email addresses for their Pipedream user profile and their Google Workspace profile. Once SSO is enabled, they will not be able to change their Pipedream email address.
If a user's Pipedream email does not match the email in their Google profile, they will not be able to log in.
If existing users signed up for Pipedream using an email and password, they will no longer be able to do so. They will only be able to sign in using SSO.