Educational
How-To: Use Google as SAML-based SSO for EnrolHQ Login
This is a guide on how to configure Google SAML-based SSO for use with EnrolHQ Staff Login
At EnrolHQ, we enabled SAML-based SSO in early 2023. Most K-12 schools in Australia/New Zealand either use Microsoft Azure SSO or Studentnet Cloudwork SSO. However with more International schools coming onboard, we recognised the need to offer a path to setting up Google SAML-based SSO with EnrolHQ.
The main difference is that Google does not provide a URL for the metadata. Instead, they provide a downloadable metadata XML file which needs to be uploaded to EnrolHQ. We've now upgraded EnrolHQ to allow upload of the Google provided XML metadata for SAML-SSO.
Google provides detailed instructions here - https://support.google.com/a/answer/6087519?hl=en&fl=1&sjid=5115574173691821780-NC for the set-up inside Google Admin Console, however this guide will provide the abridged version with screenshots.
a) Go to admin.google.com
b) Go to Apps > Mobile Apps in the main menu
c) Click 'Add App' and then choose the 'Add custom SAML app' option
d) Now you need to provide an 'App Name' which is 'EnrolHQ' and the 'Description' which is 'EnrolHQ Single Sign On for Staff Dashboard'
e) Click "Download Metadata" to get the XML file containing the IdP Metadata which you will upload to EnrolHQ
d) Now open EnrolHQ in another dashboard and log-in as a staff member using your username and password with SMS 2FA. The first user account that is created in EnrolHQ needs to use username/password/SMS 2FA so you can login to add the SAML configuration.
Go to User Management > SAML Settings
Then Enable it (SAML) and put 'Google SSO' or 'Google Single Sign-On' as the IdP name and upload the Google Metadata XML file that was downloaded in Step E.
Don't forget to Save at the bottom.
e) Go back to Google and proceed to Step 3 which is the 'Service Provider' details. Copy and Paste the ACS URL from EnrolHQ User Management SAML Settings to the ACS URL inside Google. Copy and Paste the Metadata URL from EnrolHQ to the Entity ID field in Google.
f) Now finally go to Step 4 Attribute Mappings in Google - Add Custom SAML App. You will need to choose "Primary Email' from Google directory attributes and map that to "mail" on the App Attributes. Then hit "Finish"
As with Microsoft Azure AD and Cloudwork SSO services, you will need to make sure your users have accounts in the Google Admin.
Check in Directory > Users.
If these users are in Google and they have a matching user in EnrolHQ with the same email address then Single Sign On will work. Your users should click the link that shows up on the EnrolHQ login screen that says "Google SSO" or "Google Single Sign On" depending on what you put in Step D.