Read supports single sign-on with a number of different SAML identity providers. This page explains the step-by-step process for setting up SAML authentication with Google Workspace. For a list of other supported providers, see How to: Setup SAML Authentication with Read AI.
For instructions on how to set this up from Google's perspective, see this help article from Google.
Prerequisites
In order to set up SAML authentication with Google Workspace, you'll need:
- a Read Workspace with the Enterprise+ subscription
- someone who is an admin in your Read Workspace
- someone who is a super administrator in your Google Workspace
Step-by-step instructions
1. Get your ACS URL and Entity ID
Start by having a Read Workspace admin go to Manage Workspace > Settings and expand the Advanced (Enterprise+ Required) section. Scroll down to the SAML section, where you can find and copy the ACS URL and Entity ID:
You'll need these in the next step.
2. Set up your SAML application
Now you're ready to set up a custom SAML app for Read in your Google Workspace. This article from Google describes the steps in detail from their perspective.
a) Obtain your SSO URL, Entity ID, and Certificate from Google
As you set up your SAML application in Google Workspace, you should see your SSO URL, Entity ID, and Certificate. It should look something like this:
b) Save your SSO URL, Entity ID, and Certificate in Read
Going back to your Read Workspace settings, paste in the SSO URL, Entity ID, and Certificate from Google Workspace into the appropriate fields and click save:
c) Finish setting up your SAML application in Google Workspace
To finish setting up your SAML application in Google Workspace, you'll need to paste in the ACS URL and Entity ID from Read. You can see this and all the remaining steps in Google's documentation.
There are a couple of steps that Google describes as optional, but are required for Read's SAML integration.
One is that the Name ID should be set to the primary email, which should look something like this:
The other is to set the First name and Last name Google Directory attributes. Read expects access to these attributes, so your configuration should look like this:
-
"Basic Information > First name" with a mapping to "first_name" (no quotes)
-
"Basic Information > Last name" with a mapping to "last_name" (no quotes)
3. Test that it's working
Once you have finished setting up your SAML app and turned it on for the desired set of users in your Google Workspace, you should test the sign-in process.
- Google Workspace has a “Test SAML Login“ button that will allow you to login to read.ai and confirm everything is working
- You can also go directly to your SSO URL to see that it automatically redirects you to the Google sign-in page first, and then to Read after successfully authenticating.
Note that changes to your SAML application can take up to 24 hours to finalize but typically happen more quickly. Once you've confirmed it's working, everyone that is authorized should be able to use the SSO URL to log in to Read.
As always, please contact Read Support if you need any assistance.
4. [Optional] Disable other login methods by enforcing SAML
As an optional final step, if you would like to restrict your users to only logging in via SAML, please see Enforcing SAML for users in your domain. If this is enabled, users who try to log in from Read's sign in page will be automatically redirected to your SAML login flow.