Google Workspace: How to configure teacher logins using SAML
Meet The Teacher supports Google Workspace as an authentication method for teachers. Authentication is performed using SAML (Security Assertion Markup Language) which allows an Identity Provider (Google in this case) to send parts of their user attributes to a Service Provider (in this case, Meet The Teacher).
NOTE: As we don't currently support teachers clicking on the app tile within Google Workspace, Teachers must access the normal Meet The Teacher login page where they can then click a link to perform the single sign-on with Google Workspace. We recommend teachers bookmark that link for faster access.
You need to host the metadata XML file output by the SAML App setup in a web accessible directory. The location it is hosted in doesn't matter as long as we can access it. If you do not have such a directory available to you we would suggest you try a web search for a provider using "direct link file hosting" or a similar query. Please note that Google Drive doesn't work for hosting metadata.
How do I setup Google Workspace for SAML authentication?
Google defines applications using the authentication method as an App. We don't have a "published" application on Google Workspace as yet, so you need to manually define the authentication method when setting it up. Before proceeding, it is important to note that it takes up to 24 hours for SAML settings to take effect for all users in Google Workspace so we recommend performing the setup on a Friday afternoon, or some other time when you expect the school to be quiet.
- Sign into your Google Admin console by going to https://admin.google.com
- Navigate into the Apps > SAML Apps section. If you don't see the Apps icon, you might need to follow this guide https://support.google.com/a/answer/3052550
- Click the "+" icon at the bottom right of the screen to add a new SAML App.
- Next, click the Setup my own custom app button at the bottom of the Enable SSO for SAML Application window.
- Click the IdP Metadata Download button (option 2) and save it somewhere on your computer.
In addition, copy the Entity ID from the "Option 1" section. You'll need these later.
Click Continue once you have the file.
- On the next step, you'll need to provide some identification information for the application. This information will be shown to other users. You can set the application name to whatever you wish.
If you would like to use our logo you can right click on the following image to save a copy:
Once this is complete, click the Next button.
- Setup Meet The Teacher's ACS URL and a few other details regarding logging into our service in the settings for this page below:
ACS URL: https://auth.parentseveningsystem.co.uk/Providers/Saml/Acs
Entity ID: https://auth.parentseveningsystem.co.uk
Start URL: https://auth.parentseveningsystem.co.uk/ReplaceThisWithYourSubdomain/teacher
Signed Response: Disabled
Name ID: Basic Information - Primary Email
Name ID Format: Transient
For the Start URL, be sure to replace ReplaceThisWithYourSubdomain with the portion of the web-address you use to access Meet The Teacher after the https:// and before .meettheteacher.com/
- Provide the attribute mapping rules to Google by adding the following attributes to the map:
Attribute Name Category User Field http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress Basic Information Primary Email
- Click Finish. A confirmation message will show letting you know that the application has been setup in Google Workspace. Click Ok to dismiss the message and you will see the SAML App page.
- Click the menu icon to the right of the application title then select an option to turn the application on for some users.
Remember that the change takes 24 hours to propagate before taking effect for the users selected, and you will see a warning to this effect.
- While this propagation occurs, add the metadata file you downloaded in step 5 to a web accessible directory. This should be accessible to our server IP addresses. If you do not have such a directory available to you we would suggest you try a web search for a provider using "direct link file hosting" or a similar query. Please note that Google Drive doesn't work for hosting metadata.
Take note of the URL to access the directory for use later.
Our server IPs are:
- Go to your Meet The Teacher home page then to Settings > Teacher Authentication > SAML and paste the URL, created in step 11, into the Metadata URL box.
Paste the Entity ID you copied in step 5 into the Entity ID box.
- Allow the full 24 hours for the settings to propagate.
- To test the newly created Google Workspace logins, go to the teacher login page. You should be presented with a login and continue button.
Click login and continue and you should be forwarded to Google Workspace's login page.
If you're already logged into their services, you will be logged in directly to your Meet The Teacher account.
Here's a few common issues which may occur while logging in using Google Workspace on Meet The Teacher:
|app_not_configured_for_user appears while trying to log in||This generally appears when the application has not been enabled for the user in Google Workspace. If you enabled the application for all users, generally waiting the full 24 hours will resolve this issue. Please check the app is enabled for the user in Google Workspace, try waiting a number of hours, and try again.|
|User does not have a valid id or email address||This appears when the email address provided by Google Workspace doesn't match an email address assigned to a teacher in the Data > Teachers section. This can commonly be fixed by making sure the email addresses in both systems match. If they do and you're still having problems, please ensure that your SAML app is setup per this guide, in particular checking the attribute map from earlier on.|
|The given key was not present in the dictionary||This appears when you try to log in using the tile in Google Workspace. The tile is not supported at this time.|
If any of these issues persist, please email us using the contact form at the top right with test login credentials and we'll look into this further.