Tags | Authentication | SAML | SSO | Google |
ADMIN PRIVILEGES REQUIRED
This documentation is for Stack Overflow for Teams Enterprise. Free, Basic, and Business users can access their documentation here. Find your plan.
Overview
These instructions describe how to integrate your Stack Overflow for Teams Enterprise (SOE) site with Google as your Identity Provider (IdP) for authentication. Once configured, your users will be able to use Google and the Security Assertion Markup Language (SAML) for Single Sign-on (SSO) authentication into your site. You can learn more about SAML in our SAML Authentication Overview document.
When setting up SAML authentication, you'll configure your SOE site and the Google IdP in a back-and-forth process. We recommend having a browser tab open to each site.
THIS ARTICLE APPLIES TO STACK OVERFLOW FOR TEAMS ENTERPRISE ONLY.
Other Stack Overflow for Teams users should read this article instead. Find your plan.
Create a new SAML application
To configure SSO with Google, start by creating a SAML application within your Google Workspace.
Go to your Google Admin panel.
Click Apps, then Web and mobile apps.
Click Add App at the top of the screen.
Click Add custom SAML app.
Configure the SAML Application
Configure the following settings in your new SAML app.
App details Give your app any name (for example: Stack Overflow for Teams). Click CONTINUE.
Make no changes on the "Google Identity Provider details" tab. You’ll retrieve these details in a later step.
Configure the following settings on the "Service provider details" tab:
ACS URL Set this to https://[your_site]/auth/saml2/post.
Entity ID This can be any value you wish (for example: StackOverflow). You'll use this value in a later step, entering it into your SOE authentication settings as Issuer.
Start URL Leave this field blank.
Update attribute mapping
Now you'll configure the user data Google returns with the SAML response. You need to specify at least one SAML attribute for the user display name and one for the user email. Click ADD MAPPING to map Google user data to the returned SAML attributes. The SAML protocol returns the attributes you configure as assertions.
Here is one recommended way to set up your attribute mapping:
NOTE: Full name would be a better choice for the displayName
attribute, but Google doesn't offer this as a default field. To learn more about creating custom attributes (like full name), see the Google custom attributes guide.
You can also add the following optional SAML attributes:
Job Title (for example: app attribute jobTitle)
Department (for example: app attribute department)
NOTE: When the IdP includes job title
and department
in the SAML response, SOE automatically updates these user data fields on login. Including these attributes also allows you to use SOE's Connectivity reporting.
Configure authentication settings in SOE
Next, you’ll copy the configuration values from your new Google SAML application into SOE.
In Google, click DOWNLOAD METADATA to retrieve configuration values. You don’t need to download the file. Instead, you'll copy and paste the information into SOE.
In your SOE authentication settings, enter the following fields:
Single Sign-On service URL This is the SSO URL from the Google metadata box.
Assertion consumer service URL Set this to https://[your_site]/auth/saml2/post.
Single Sign-On service protocol binding Leave this set to POST.
Issuer This is the Entity ID you created in the "Configure the SAML Application" step above.
Audience Restriction Set this to the same value as Issuer.
NOTE: You won't use the Entity ID value from the Google metadata box. Instead, use the Entity ID you created in the "Configure the SAML Application" step (for example: StackOverflow).
Copy and paste the following values from the Google SAML "Attribute Mappings" tab and metadata box into the corresponding SOE fields:
Display Name Assertion Set this to the Google app attribute you specified for display name (for example: displayName).
Email Address Assertion Set this to the Google app attribute you specified for email (for example: userEmail).
Job Title (optional) Set this to the Google app attribute you specified for job title (for example: jobTitle).
Department (optional) Set this to the Google app attribute you specified for department (for example: department).
Identity Provider Certificates Enter the full Certificate value from the Google metadata box (including the "BEGIN CERTIFICATE" and "END CERTIFICATE" lines).
Use Subject/NameID as user identifier is checked by default, which allows the IdP to specify the user identifier based on your SAML app configuration. This is the recommended setting.
If you uncheck this option, you can manually specify a User identifier assertion of your choice. Be sure to choose a user identifier that will never change (for example: login or user ID). Email address is not a good choice for user identifier, as email addresses can change.
Only users (or user groups) assigned to your Google SAML app will be able to use SSO to log in to your SOE site. You can specify these users or groups in the "User access" section of your SAML app settings by clicking View details.
You can also make your SAML application available to everyone within your Google workspace by setting Service status to ON for everyone.
Validate your certificate by clicking Validate Certificate. You should see a green box with a success message. If you don't, make sure you copied and pasted the full text of the certificate.
Test and save your SAML configuration
To complete the SSO setup, click Save Settings.
When saving settings, SOE will first perform an authentication test. If the test succeeds, SOE will apply your new authentication settings. Logged-in users stay logged in, as all active user sessions remain valid.
If the test fails, SOE will not apply the authentication settings. You'll stay on the SAML settings page so you can troubleshoot and correct problems.
This test acts as a safety net to keep invalid authentication settings from locking users (yourself included) out of your site. If you do find your users locked out of your site, reach out to Stack Overflow product support for help.
You can also click Test currently saved SAML configuration to display technical details about your SAML authentication. You'll find these helpful for understanding what information your IdP and SOE exchange. This is also useful when troubleshooting.
If you can't resolve the authentication errors, reach out to Stack Overflow support for help.
Maintain SAML certificates
You should rotate (replace) your Google SAML certificate well before its expiration date, or if it becomes compromised. If you don't replace a certificate before it expires, users won't be able to use SSO to sign in to any SAML applications that use that expired certificate.
For more information about maintaining SAML certificates, check out this helpful Google guide.