How-To: Use Google as SAML-based SSO for EnrolHQ Login

This is a guide on how to configure Google SAML-based SSO for use with EnrolHQ Staff Login

Header graphic showing feature

At EnrolHQ, we enabled SAML-based SSO in early 2023. Most K-12 schools in Australia/New Zealand either use Microsoft Azure SSO or Studentnet Cloudwork SSO. However with more International schools coming onboard, we recognised the need to offer a path to setting up Google SAML-based SSO with EnrolHQ. The main difference is that Google does not provide a URL for the metadata. Instead, they provide a downloadable metadata XML file which needs to be uploaded to EnrolHQ. We've now upgraded EnrolHQ to allow upload of the Google provided XML metadata for SAML-SSO.

Google Metadata

Google provides detailed instructions here - https://support.google.com/a/answer/6087519?hl=en&fl=1&sjid=5115574173691821780-NC for the set-up inside Google Admin Console, however this guide will provide the abridged version with screenshots.

a) Go to admin.google.com

b) Go to Apps > Mobile Apps in the main menu

Google Admin Main Menu

c) Click 'Add App' and then choose the 'Add custom SAML app' option

Add Custom SAML app

d) Now you need to provide an 'App Name' which is 'EnrolHQ' and the 'Description' which is 'EnrolHQ Single Sign On for Staff Dashboard'

App Name and App Description

e) Click "Download Metadata" to get the XML file containing the IdP Metadata which you will upload to EnrolHQ

App Name and App Description

d) Now open EnrolHQ in another dashboard and log-in as a staff member using your username and password with SMS 2FA. The first user account that is created in EnrolHQ needs to use username/password/SMS 2FA so you can login to add the SAML configuration.

Go to User Management > SAML Settings

EnrolHQ SAML Menu Item

Then Enable it (SAML) and put 'Google SSO' or 'Google Single Sign-On' as the IdP name and upload the Google Metadata XML file that was downloaded in Step E.

Upload XML

Don't forget to Save at the bottom.

e) Go back to Google and proceed to Step 3 which is the 'Service Provider' details. Copy and Paste the ACS URL from EnrolHQ User Management SAML Settings to the ACS URL inside Google. Copy and Paste the Metadata URL from EnrolHQ to the Entity ID field in Google.

Demo_College_Enrolments_and_Admin_console_–_Web_and_mobile_apps.png

f) Now finally go to Step 4 Attribute Mappings in Google - Add Custom SAML App. You will need to choose "Primary Email' from Google directory attributes and map that to "mail" on the App Attributes. Then hit "Finish"

Google Attribute Mapping

As with Microsoft Azure AD and Cloudwork SSO services, you will need to make sure your users have accounts in the Google Admin. Check in Directory > Users. If these users are in Google and they have a matching user in EnrolHQ with the same email address then Single Sign On will work. Your users should click the link that shows up on the EnrolHQ login screen that says "Google SSO" or "Google Single Sign On" depending on what you put in Step D.

Google SSO for EnrolHQ

Published: 15 May 2024

Get In Touch

If you have a question, we'll be happy to answer it.

Write us a short note below and we'll get in touch.

You'll be joining these happy HQ clients:

Logos of EnrolHQ clients who use our online enrolments system