Learning Center/Support and Feedback/Feature Requests
Don't restrict SAML login to username of onelogin account
Dan Barker
suggested this on March 24, 2010 08:56 pm
I love the idea of the SAML feature for Google Apps, but I've now had to turn it off because of the fact that it links one Onelogin user to one account in Apps. We have multiple email addresses that we would like to be able to check from one account (e.g. log@mydomain) ; the only way to do that from one Onelogin account at the moment, as far as I can tell, is to make a separate onelogin account with the username 'log' and then make everyone who I want to be able to read the 'log' account an administrator and have them assume the log role every time they want to log in. The other option is to have the 'log' email point somewhere outside of our Google Apps domain. Both solutions seem less than satisfactory. Any plans to change this?
Comments
If I understand you correctly, you want several users in your organization to log into Google Apps as the user log@mydomain.com and check log's email. You can do this by adding an extra app for Google Apps and configure it to shared, which means that every user that has this app in their role will be able to log in as log@mydomain.com.
It doesn't work like that when SAML is enabled. It seems to just have a one-one mapping of users onto my domain's accounts. When logged in as myself, the administrator, if I try to edit the login settings for Google Apps it is like this:
http://img.skitch.com/20100325-cfxdf7nmb6drb95tn851qs785e.jpg
And when SAML is enabled you can't log in to Google Apps through anything other than Onelogin.
(this is what is in Manage Sites: http://img.skitch.com/20100325-tab8ycr4naex4uwdbdx75qgecq.jpg - nowhere to enter login details)
Ouch. Watch out for an update in the morning. It should definitely be possible.
We have changed this so it's now possible to login as different users on the same Google Apps or Salesforce account.
When adding a SAML capable application, choose between these login options:
Note that Google Apps currently requires you to click 'Logout' in Google Apps, before attempting to login as a different user using SAML. If you do not logout from Google Apps, your identity is unchanged.
Thanks!
For some reason this has stopped working again - with the shared account, even if I have set it to be a shared account, it logs in as my personal one. E.g. in my account I have Google Apps set up for dan@..., and had set up one for our general email, feed@..., which when you posted this fix, I was able to access through Onelogin. Now when I click the link for 'Feed' in Onelogin, it logs in for the 'dan@' account. I have tried adding it again. Help!
Additionally, if you get a chance, would you be able to add an app for 'Google Mail' separate from 'Google Apps', that logs in with SAML too? Small detail but at the moment the workflow to get to Google Mail is to click Google Apps, then click on the Mail link from there. Obviously we want to be able to access our email with one click. You already have an option for Google Docs, too!
I have created a ticket for the SAML issue - work is in progress.
Also, a SAML-capable Google Mail connector has been added.