Google Workspace: How to configure teacher logins using SAML

Your SchoolCloud system supports Google Workspace using SAML as an authentication method for teachers. Authentication is performed using SAML (Security Assertion Markup Language) which allows an Identity Provider (Google in this case) to send parts of their user attributes to a Service Provider (in this case SchoolCloud).

NOTE: As we don't currently support teachers clicking on the app tile within Google Workspace, Teachers must access the normal SchoolCloud system login page, where they can then click a link to perform the single sign-on with Google Workspace. We recommend your teachers bookmark that link for faster access. This is because we only support SP-initiated SSO flow.

Prerequisites

You need to host the metadata XML file output by the SAML App setup in a web accessible directory. The location it is hosted in doesn't matter as long as we can access it. If you do not have such a directory available to you we would suggest you try a web search for a provider using "direct link file hosting" or a similar query. 

Please note that Google Drive doesn't work for hosting metadata.

How do I setup Google Workspace for SAML authentication?

Google defines applications using the authentication method as an App. We don't have a published application on Google Workspace so you need to manually define the authentication method when setting it up. Before proceeding, it is important to note that it takes up to 24 hours for SAML settings to take effect for all users in Google Workspace so we recommend performing the setup on a Friday afternoon, or some other time when you expect the school to be quiet.

  1. Sign into your Google Admin console by going to https://admin.google.com
  2. Navigate into the Apps > SAML Apps section. If you don't see the Apps icon, you might need to follow this guide https://support.google.com/a/answer/3052550

    Apps IconSAML Apps Icon
  3. Click the "+" icon at the bottom right of the screen to add a new SAML App.
  4. Next, click the Setup my own custom app button at the bottom of the Enable SSO for SAML Application window.

  5. Click the IdP Metadata Download button (option 2) and save it somewhere on your computer.

    In addition, copy the Entity ID from the "Option 1" section. You'll need these later.

    Click Continue once you have the file.
  6. On the next step, you'll need to provide some identification information for the application. This information will be shown to other users.

    If you would like to use our logo you can right click on the following image to save a copy:
    Note that the application name field does not allow you to place the (grammatically correct) apostrophe on the end of "Parents".

    Once this is complete, click the Next button.
  7. Setup the SchoolCloud ACS URL and a few other details regarding logging into our service in the settings for this page below:

    ACS URL: https://auth.parentseveningsystem.co.uk/Providers/Saml/Acs
    Entity ID: https://auth.parentseveningsystem.co.uk
    Start URL: https://auth.parentseveningsystem.co.uk/ReplaceThisWithYourSubdomain/teacher
    Signed Response: Disabled
    Name ID: Basic Information - Primary Email
    Name ID Format: Transient

    For the Start URL, be sure to replace ReplaceThisWithYourSubdomain with the portion of the web-address you use to access SchoolCloud after the https:// and before .schoolcloud.co.uk or .parentseveningsystem.co.uk

  8. Provide the attribute mapping rules to Google by adding the following attributes to the map (please note that the URL given is an XML namespace and will appear not to "work" if you enter it into a web browser):

    Attribute Name Category User Field
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress Basic Information Primary Email

  9. Click Finish. The following message confirms the setup:

  10. Click Ok to dismiss the message and you will see the SAML App page.

    Click the menu icon to the right of the application title then select an option to turn the application on for some users.

    Remember that the change takes 24 hours to propagate before taking effect for the users selected, and you will see a warning to this effect.


  11. While this propagation occurs, add the metadata file you downloaded in step 5 to a web accessible directory - i.e. a directory that is open to access via the internet from the IP addresses of our servers. If you do not have such a directory available to you we would suggest you try a web search for a provider using "direct link file hosting" or a similar query. Please note that Google Drive doesn't work for hosting metadata.

    Take a note of the URL that will be used to access the directory as you will need it later.

    Our server IPs are:

    • 3.11.136.51
    • 3.11.149.57
    • 3.11.229.108
  12. Go to your SchoolCloud home page then to Settings > Teacher Authentication > SAML and paste the URL, created in step 11, into the Metadata URL box.

    Paste the Entity ID you copied in step 5 into the Entity ID box.
    Click Save.
  13. Allow the full 24 hours for the settings to propagate.
  14. To test the newly created Google Workspace logins, go to the teacher login page. You should be presented with a login and continue button.

    Click login and continue and you should be forwarded to Google Workspace's login page.

    If you're already logged into their services, you will be logged in directly to your SchoolCloud account.

Troubleshooting

Here's a few common issues which may occur while logging in using Google Workspace on Parents Evening:

Message Possible Solution
app_not_configured_for_user  appears while trying to log in This generally appears when the application has not been enabled for the user in Google Workspace. If you enabled the application for all users, generally waiting the full 24 hours will resolve this issue. Please check the app is enabled for the user in Google Workspace, try waiting a number of hours, and try again.
User does not have a valid id or email address This appears when the email address provided by Google Workspace doesn't match an email address assigned to a teacher in the Data > Teachers section. This can commonly be fixed by making sure the email addresses in both systems match. If they do and you're still having problems, please ensure that your SAML app is setup per this guide, in particular checking the attribute map from earlier on.
The given key was not present in the dictionary This appears when you try to log in using the tile in Google Workspace. The tile is not supported at this time.

If any of these issues persist, please email us using the contact form at the top right with test login credentials and we'll look into this further.