SSO with Google Workspace

Introduction

How to set up SSO as a Zivver administrator?

Zivver supports Single Sign-On (SSO) through Google Workspace. Now users can log in to Zivver with their workplace credentials.

SSO operates on the basis of Security Assertion Markup Language (SAML) v2.0; in this scenario, Google Workspace is the Identity Provider (IdP) and Zivver is the Service Provider (SP).

To activate SSO in Zivver, you need all of the following:

  • You are a Zivver administrator.
  • You have access to the Admin panel in Workspace.
  • You have Super Admin rights in Workspace. You need this to set up a new SSO link.

Set up SSO connection in Workspace

  1. Log in to Google Workspace.
  2. In the menu on the left, click Apps > Web and mobile apps.
  3. Click Add app > Add custom SAML app.
    A new window opens.
  4. Enter a name in App name, for example Zivver.
  5. OPTIONAL Enter a Description and an App icon.
  6. Click CONTINUE.
  7. Click DOWNLOAD METADATA.
  8. Click CONTINUE
  9. Set ACS URL to https://app.zivver.com/api/sso/saml/consumer/.
  10. Set Entity ID to https://app.zivver.com/SAML/Zivver.
  11. Optional: set Start URL to https://app.zivver.com/
  12. Leave Signed Response clear.
  13. Set Name ID format to EMAIL
  14. Set Name ID to Basic Information > Primary email
  15. Click CONTINUE.
  16. Click ADD MAPPING.
  17. In Google directory attributes, select Primary email.
  18. In App attributes, enter https://zivver.com/SAML/Attributes/ZivverAccountKey
  19. Click FINISH You are automatically redirected to the page of the SAML application of Zivver.
  20. Click User access.
  21. At Service status, select ON for everyone
  22. Click SAVE.
    You have successfully set up SSO in Workspace.

Set up SSO connection in Zivver

Do these steps to configure the newly created SSO connection in Zivver:

  1. Log in to the WebApp.
  2. Click the Organization Settings icon at the bottom left of your browser window.
  3. Go to User administration.
  4. Go to Single Sign-on.
  5. Select Manually
  6. Open the IDP metadata file you downloaded from Google Workspace.
  7. Paste the contents of the IDP metadata file into the Identity Provider’s .XML field in Zivver.
  8. Click Save.
  9. On top of the page, click the Enable Single sign-on button.
    You have successfully set up the SSO link in Zivver.
Users can now only log in via SSO (which implies that if SSO is not set up correctly, users will be unable to login at all).
Immediately test that users can log in to the WebApp and Outlook.

Zivver 2FA exemption (optional)

By default, a Zivver account is protected with an additional login method (2FA). 2FA is also required when logging in via SSO. You can disable Zivver’s 2FA when users log in via SSO with Google Workspace.

But Google Workspace does not indicate in the SAML response whether the user has already specified an extra login method. Google Workspace always provides this SAML response:

  • urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified

This means that the SAML response does not contain information from which Zivver can decide whether the user is logged in securely with 2FA.

Zivver never asks for a second authentication factor if you exempt this authentication context from 2FA in the SSO settings. This creates a security risk when users log in to Google Workspace without 2FA in combination while a 2FA exemption is configured in Zivver. Therefore, it is important that users are required to login to Google Workspace with 2FA if you release the authentication context in Zivver.

Do these steps to configure 2FA exemption for Google Workspace in Zivver:

  1. Log in to the WebApp.
  2. Click the Organization Settings icon at the bottom left of your browser window.
  3. Go to User administration.
  4. Go to Single Sign-on.
  5. Scroll down to the Zivver 2FA exemptions card.
  6. In the Authentication methods to be exempted field, enter these value:
    • urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified in.
  7. Click Save.
    You have now successfully set a 2FA exemption for Google Workspace. When users now log in via SSO, Zivver will not ask for 2FA.

Log in to the WebApp with SSO

  1. Go to the WebApp.
  2. Enter your e-mail address.
  3. Depending on your role in Zivver:
    • As a user: you are immediately redirected to the login screen of your organization.
    • As an administrator: you choose between your Zivver password and your workplace login details to log in.
  4. Log in with the workplace login data of your organization. Depending on the existence of a 2FA exemption, an extra login method is required. With a 2FA exemption, the last step will be skipped.
  5. Enter your extra login factor.
    You are logged in to Zivver WebApp.

Log in to Outlook with SSO

In the Zivver Office Plugin in Outlook, you can do SSO login as follows:

  1. Click the Zivver tab.
  2. Click Manage accounts account_circle .
  3. Click the link Add an account add_circle .
  4. Select the e-mail address with which you want to log in.
  5. Click Yes, I want to log in now.
    You will be redirected to the login screen of your organization.
  6. Log in with the workplace login details of your organization.
    Depending on a 2FA exemption you will be asked for an extra login method. With a 2FA exemption you skip the last step.
  7. Enter your extra login method.
    You are logged in to Outlook.