Skip to main content
Configure Single Sign-on (SSO) with Google

How to set up Stack Overflow for Teams for SAML SSO authentication with Google.

Joel Bradley avatar
Written by Joel Bradley
Updated over a month ago

Tags | Authentication | SSO | SAML | Google |

ADMIN PRIVILEGES REQUIRED

Applies to: Basic, Business

Enterprise users can access their documentation here. Find your plan.


Overview

These instructions describe how to integrate your Stack Overflow for Teams Basic or Business site with Google as your Identity Provider (IdP) for authentication. Once configured, your users will be able to use Google and the Security Assertion Markup Language (SAML) for Single Sign-on (SSO) authentication into your site. You can learn more about SAML in our SAML 2.0 Authentication Overview document.

NOTE: Stack Overflow for Teams Free does not support SSO.

When setting up SAML authentication, you'll configure your Stack Overflow for Teams site and the Google IdP in a back-and-forth process. We recommend having a browser tab open to each site.

THIS ARTICLE APPLIES TO STACK OVERFLOW FOR TEAMS BASIC AND BUSINESS ONLY.
Stack Overflow for Teams Enterprise users should read this article instead. Find your plan.

Create a Google SAML application

To configure SSO with Google, start by creating a SAML application within your Google Workspace.

  1. Go to your Google Admin panel.

  2. Click Apps, then Web and mobile apps.

  3. Click Add App at the top of the screen.

  4. Click Add custom SAML app.

Configure the SAML Application

Configure the following settings in your new SAML app.

App details

Give your app any name (for example: Stack Overflow for Teams). Click CONTINUE.

Make no changes under the "Google Identity Provider details" tab. You’ll retrieve these details in a later step.

Service provider details

On the "Service provider details" tab, you'll enter the Assertion Consumer Service URL from your Stack Overflow for Teams authentication settings page. To get your site's Assertion Consumer Service URL:

  1. Click Authentication in your Stack Overflow for Teams site's left-hand menu (under the "MANAGE" heading).

  2. Click Single sign-on (SSO). Additional fields will appear.

  3. Copy the Assertion Consumer Service URL to your clipboard.

In the Google IdP, paste the Assertion Consumer Service URL value from your Stack Overflow for Teams site into the ACS URL field.

Configure these additional settings on the Google "Service provider details" tab:

  • Entity ID This can be any value you wish (for example: StackOverflow). You'll use this value at a later step, entering it into your Stack Overflow for Teams site's authentication settings as Issuer.

  • Start URL Leave this value blank.

Update attribute mapping

Now you'll configure the user data Google returns with the SAML response. You need to specify at least one SAML attribute for the user display name and one for the user email. Click ADD MAPPING to map Google user data to the returned SAML attributes. The SAML protocol returns the attributes you configure as assertions.

Here's one recommended way to set up your attribute mapping:

NOTE: Full name would be a better choice for the displayName attribute, but Google doesn't offer this as a default field. To learn more about creating custom attributes (like full name), see the Google custom attributes guide.

You can also add the following optional SAML attributes.

  • Job Title (for example: app attribute jobTitle)

  • Department (for example: app attribute department)

When the IdP includes job title and department in the SAML response, your Stack Overflow for Teams site automatically updates these user data fields on login.

Configure authentication settings in Stack Overflow

Next, you’ll copy the configuration values from your new Google SAML application into your Stack Overflow for Teams site.

Metadata

In Google, click DOWNLOAD METADATA to retrieve configuration values. You don’t need to download the file. Instead, you'll copy and paste the information into your Stack Overflow for Teams site.

In your Stack Overflow for Teams site authentication settings, enter the following fields:

  • Single Sign-On service URL This is the SSO URL from the Google metadata box.

  • Single Sign-On service protocol binding Leave this set to POST.

  • Issuer This is the Entity ID you created in the "Configure the SAML Application" step above.

  • Audience Restriction Set this to the same value as Issuer.

NOTE: You won't use the Entity ID value from the Google metadata box. Instead, use the Entity ID you created in the "Configure the SAML Application" step (for example: StackOverflow).

Attributes and Certificate

Copy and paste the following values from the Google SAML "Attribute Mappings" tab and metadata box into the corresponding fields of your Stack Overflow for Teams site.

  • Display Name Assertion Set this to the Google app attribute you specified for display name (for example: displayName).

  • Email Address Assertion Set this to the Google app attribute you specified for email (for example: userEmail).

  • Job Title (optional) Set this to the Google app attribute you specified for job title (for example: jobTitle).

  • Department (optional) Set this to the Google app attribute you specified for department (for example: department).

  • Identity Provider Certificates Enter the full Certificate value from the Google metadata box (including the "BEGIN CERTIFICATE" and "END CERTIFICATE" lines).

Don't use Subject/NameID as User Identifier

Don't use Subject/NameID as User Identifier is unchecked by default. The default unchecked setting allows the IdP to specify the user identifier based on your SAML app configuration. This is the recommended setting.

If you check this option, you can manually specify a user identifier assertion. Be sure to choose a user identifier that will never change (for example: login or user ID). Email address is not a good choice for user identifier, as email addresses can change.

Assign users in Google

Only users (or user groups) assigned to your Google SAML app will be able to use SSO to log in to your Stack Overflow for Teams site. You can specify these users or groups in the "User access" section of your SAML app settings by clicking View details.

You can also make your SAML application available to everyone within your Google workspace by setting Service status to ON for everyone.

Test and save your SAML configuration

Validate your certificate by clicking Validate Certificate. You should see a green box with a success message.

To finish the SSO setup process, click Authenticate and enable SSO.

When saving settings, your Stack Overflow for Teams site will first perform an authentication test. If the test succeeds, your site will apply your new authentication settings. Logged-in users stay logged in, as all active user sessions remain valid.

If the test fails, your Stack Overflow for Teams site will not apply the authentication settings. You'll stay on the SAML settings page so you can troubleshoot and correct problems.

This test acts as a safety net to keep invalid authentication settings from locking users (yourself included) out of your site. If you do find your users locked out of your site, reach out to Stack Overflow support for help.

You can also click Debug SAML auth settings and View SAML request to display technical details about your SAML authentication. You'll find these helpful for understanding what information your IdP and your Stack Overflow for Teams site exchange. This is also useful when troubleshooting.

Maintain SAML certificates

You should rotate (replace) your Google SAML certificate well before its expiration date, or if it becomes compromised. If you don't replace a certificate before it expires, users won't be able to use SSO to sign in to any SAML applications that use that expired certificate.

For more information about maintaining SAML certificates, check out this helpful Google guide.


Need help? Submit an issue or question through our support portal.

Did this answer your question?