Configuring SAML SSO with GSuite

To configure SAML Single Sign On (SSO) authentication for your users using GSuite as your identity provider (IDP), you will need:

Accessing SSO Config in LinearB and Google

  1. Access to the Google Admin Console for your domain
  2. Admin access to LinearB

To configure SSO in LinearB, navigate to the Company Settings page using the gear icon, and then to the Single Sign-On tab (link).

In another tab, navigate to the Google Admin console and go to Apps > Web and Mobile Apps using the left-hand hamburger menu:

A screenshot showing how to navigate to the Web and Mobile Apps configuration screen in Google's admin panel.

From there, select Add app > Add custom SAML app.

Configuring SAML in LinearB and Google

Type "LinearB" as the app name, add a description for your users if desired, and attach an icon if needed. Click to go to the next screen, and you will be presented with your Google metadata. Then complete the following:

  1. Copy the Google SSO URL and paste it in to LinearB Provider Sign-on field
  2. Copy the Google Entity ID and paste it in to the LinearB Provider Issuer field
  3. Enter your domain in the Organization Email Domain field (use the domain as it appears after the @ sign in your corporate email addresses)
  4. Copy the Google Certificate field and paste it in the LinearB Certificate field
  5. In Google, click the Continue button to navigate to Service provider details
  6. Copy the LinearB Callback URL and paste it in the Google ACS URL field
  7. Paste in to Google as the Entity ID value
  8. In Google, leave Start URL blank and leave Signed response unchecked
  9. In Google, select EMAIL as the Name ID format, and make sure the Name ID value is mapped to your user's email addresses (by default, Basic Information > Primary email)
  10. In Google, click Continue to continue to Attribute mapping. Leave this blank and click the Finish button.
  11. Click the Save button in LinearB. It will prompt you to log in via Google—close that window for now rather than logging in. (If you attempt to log in at this point, the login will fail with a 403 error.)

Enabling User Access in Google

Google defaults to leaving a new SAML app disabled for all users, so you will need to enable it. From the Web and Mobile Apps screen in Google, you will be able to click on LinearB to open its settings. On that settings page, you should see a User Access panel:

A screenshot of the user access panel for the LinearB SAML app in GSuite. It shows that the app is ON for everyone at the domain.

Click on the User Access panel to open up access settings. From there, you can either set the app to ON for everyone and save, or enable it for individual organizational units or groups.

Once you've made your access changes, click Save. On the display page for the SAML app, confirm that the app is on for all or some users. Then, click the TEST SAML LOGIN button:

A screenshot of the SAML app display page in Google's admin panel, highlighting where to check that the app is enabled for users, and how to find the Test SAML Login button.

You may receive a popup from Google saying that the app is not yet provisioned for your user. If this is incorrect, wait five minutes and click the TEST SAML LOGIN button again. (You may need to do this a few times—enabling access to the app in Google can take several minutes to propagate.)

Once you are able to click the button without the popup warning, you should be logged in to LinearB, and will see a popup confirming that login access has been validated.

If you see a 403 error when trying to log in, the most common cause is that the app in Google is not provisioned correctly to your user. In that situation, please confirm with your internal IT team that this is not the case before reaching out to the LinearB support team—they have insight into your provisioning that our team does not, and can troubleshoot the most likely cause.

Enforcing SSO login

If you want to require your teammates to log in using SAML SSO, then return to the Single Sign-On tab in Company Settings. Click the Edit button at the bottom of the page. Check the Team members will only be able to access LinearB using your SSO provider checkbox, and click Save.

How did we do?

Powered by HelpDocs (opens in a new tab)