SAML Authentication with Google Workspace

Overview

This guide walks you through setting up SAML (Security Assertion Markup Language) authentication between Google Workspace and SigNoz.

What you'll accomplish:

• Configure Google Workspace as an identity provider (IdP) for SigNoz
• Enable your team to access SigNoz using their existing Google Workspace accounts

Prerequisites

Before starting, ensure you have:

• Google Workspace account with Super-Admin access to the Google Admin console
• SigNoz account (Cloud or Self-Hosted with License) with administrative access
• Your SigNoz instance URL (e.g., https://signoz.example.com)

Configuration Steps

Step 1: Create a custom SAML app in Google Workspace

1. Sign in to the Google Admin console as a super admin.
2. Go to Apps > Web and mobile apps.
3. Click Add app > Add custom SAML app.
4. Enter an App name (e.g., SigNoz), then click Continue.

Step 2: Copy Google's IdP details

On the Google Identity Provider details page, Google shows the values SigNoz needs:

• SSO URL (e.g., https://accounts.google.com/o/saml2/idp?idpid=...)
• Entity ID (e.g., https://accounts.google.com/o/saml2?idpid=...)
• Certificate

Click DOWNLOAD CERTIFICATE, copy the SSO URL and Entity ID, then click Continue. You'll add these to SigNoz in Step 6.

Step 3: Enter SigNoz service provider details

On the Service provider details page, enter the following:

Click Continue.

Step 4: Map SAML attributes

On the Attribute mapping page, add these mappings:

Click Finish.

Step 5: Turn on user access

A new app is off by default. To let users sign in:

1. On the app's page, open the User access card.
2. Set the service status to ON for everyone, or turn it on for specific organizational units or groups.
3. Click Save.

Step 6: Configure SigNoz for SAML authentication

Now add the Google IdP details you copied in Step 2 to SigNoz:

1. Navigate to SigNoz Settings:

   • Go to your SigNoz dashboard
   • Click on Settings in the left sidebar
   • Navigate to Organization Settings
   • Click on Authenticated Domains

2. Add New Domain:

   • Click Add Domain
   • Enter the domain your users log in with (e.g., for emails like john@example.com, enter example.com)

3. Enter Configuration Details:

   Domain: example.com
   SAML ACS URL/SAML IDP URL: <google-sso-url>
   SAML X.509 Certificate: <google-certificate-data>
   SAML Entity ID: <google-entity-id>
   Skip AuthN Requests Signed: True
   

   Where to find these values:

   • Domain: The email domain for users who should use SSO (e.g., example.com for users with @example.com emails)
   • SAML ACS URL/SAML IDP URL: Google's SSO URL from Step 2
   • SAML X.509 Certificate: The certificate you downloaded from Google in Step 2
   • SAML Entity ID: Google's Entity ID from Step 2

4. Save Configuration:

   • Click Save to apply the SAML configuration

Step 7: Test the integration

1. Log out of SigNoz if you're currently logged in.
2. Open your SigNoz login page in a private/incognito window.
3. Log in with a Google Workspace user email.
4. Verify that you're redirected to Google for authentication.
5. Complete the Google login.
6. Confirm you're logged into SigNoz.

Troubleshooting

Common issues and solutions:

• "Authentication failed" error: Check that the ACS URL in Google exactly matches https://<your-instance-url>/api/v1/complete/saml, and that the SSO URL, Entity ID, and certificate in SigNoz match Google's IdP details.
• Wrong values entered: Make sure you added Google's details (SSO URL, Entity ID, certificate) to SigNoz, not your SigNoz ACS URL and Entity ID.
• User can't sign in: Make sure the app's User access is ON for that user (see Step 5), and allow a few minutes for it to take effect.
• Locked out?: If you can't log in because of a faulty setup, use password authentication by appending ?password=Y to your login URL: <your-instance-url>/login?password=Y