Skip to main content

Set up SSO with Google Workspace

Jesse
  • Updated

Connecting your Lattice account with Google Workspace (formerly G Suite) via SSO

Admins and Integration admins can connect Google Workspace account as a SAML identity provider to authenticate Lattice users trying to sign in. Using their Google account, users will no longer need to remember an additional password to sign into Lattice, and admins can quickly remove their access to Lattice from a centralized control panel if required.

Note: The Google Workspace integration is only for SSO. Users must be created and invited into Lattice before they can log in using Google Workspace.

What is the difference between Google SSO and "Sign in with Google"?

  • "Sign in with Google" uses Google's OAuth API. Upside: No configuration. It "just works." The downside is that there currently is no way to force only this option.
  • "Google SSO" uses Google's SAML 2.0 API. The upside: One can force this option and disable email/password. The downside is that it requires setup.

Integrate with Google Workspace

  1. In your Google Admin console (at admin.google.com), click Apps.
  2. Click Add App and select Add custom SAML app.
  3. Give the app a name.
  4. From here, be sure to download your XML metadata and put it somewhere, such as a text editor, to be pasted into Lattice.
  5. Configure the SAML endpoints. Please replace [subdomain] with your Lattice subdomain.
    • ACS URL: https://router.latticehq.com/sso/[subdomain]/acs
    • Entity ID: https://router.latticehq.com/sso/[subdomain]/metadata
    • Start URL: https://[subdomain].latticehq.com/login
    • Name ID: "Basic Information" and "Primary Email"
    • Name ID Format: "EMAIL"
  6. You can skip the Attribute Mapping step and click Finish.
  7. In Lattice, navigate to Admin > Settings > Platform > Single Sign-On.
  8. Paste in your downloaded XML in the field called XML metadata.
    • Note: Open the metadata file from a text or note editor. Opening from another application may impact formatting. 
  9. (Optional) Limit your users so that they can only sign in with SSO. Learn more about forcing employees to use Single Sign-On.
  10. Click Save.
  11. By default, the app you created is turned off and is not visible to the users signed in to your Google domain account. To activate the app:
    • Navigate to Google Admin > App > SAML Apps.
    • For the Lattice app, click on the three dots on the right side, and select ON for everyone.

If you sign out of Lattice, you should see a new Single Sign-On button. Clicking on it will first take you to Google, where you will be authenticated. Google will redirect you back to Lattice, where you will be automatically signed in.

Related articles