Google Single Sign-On
In order to complete these steps, you must:
- Be an Ambition Admin
- Be a Google (G Suite) Admin
- If utilizing a custom domain, reach out to email@example.com to have your domain whitelisted
Benefits of Single Sign-On:
- Users authenticate into Ambition using your company's Google credentials
- Users already signed into company's G Suite will automatically be signed into Ambition
- Ambition access will automatically be revoked once employees are removed from G Suite
Google Identity Provider Setup
Configuring the Identity Provider (IdP)
1. In G Suite Admin, go to Apps > SAML apps
2. Click button in lower right-hand corner to Enable SSO for SAML Application
3. Click SETUP MY OWN CUSTOM APP
4. Download IDP metadata from Option 2 under Set up single sign-on (SSO)
5. Upload the metadata file to a publicly accessible host
6. Click Next, set Application Name and optionally provide other information, click Next
7. Complete the form using the variables provided below, click Next
8. Complete attribute mapping as shown in image below
9. Enable app for users who need access to Ambition
Name ID: Basic Information > Primary Email
Name ID Format: Email
Replace SUBDOMAIN in the URLs above with your Ambition-assigned subdomain
Enable Google Single Sign-On
1. Open the left navigation and click Administration > People > Single Sign-On.
Don't see the Single Sign-On tab? Email firstname.lastname@example.org to have this feature turned on for you.
2. Click the Enable Single Sign-On button.
If you are redirected into the SAML Integration settings upon enabling, click Administration > People > Single Sign-On to navigate back to the Single Sign-On Setup form seen in Step 3.
3. Complete the form.
Integration Name: Defaults to SAML Authentication. Naming convention is up to your Organization
IdP Metadata URL: The publicly accessible URL where your IdP's metadata is hosted
If utilizing a custom domain, reach out to email@example.com to have your domain whitelisted.
There may be up to a two week wait time for IP addresses to be whitelisted.
First Name SAML Attribute:
Last Name SAML Attribute:
Default User Time Zone: The corresponding default time zone your Organization utilizes
Automatically Create Ambition Accounts on Sync (Utilizing Just-in-Time User Provisioning):
When enabled, Ambition will use a SAML assertion to create User accounts the first time the User attempts to log in to Ambition.
When disabled you must manually create accounts for desired users, otherwise they will be denied Ambition access upon initial login.
4. Click the Save button.