Google SAML 2.0 SSO Setup

This article explains how to configure Single Sign-On (SSO) for Asset Management using a generic Identity Provider (IdP) endpoint with the SAML 2.0 protocol. It includes the Frontline-provided configuration values, the required roles and claims, endpoint setup details for both Asset Management and TIPWeb-IT Mobile, and Google SAML setup steps for districts using Google Workspace.

Configuration Checklist

Frontline Configuration

Frontline sets up the following items to begin the SSO configuration process:

Overview to Set Up SAML 2.0 SSO

When a district is asked to configure a Single Sign-On endpoint in its IdP using SAML 2.0 for a Frontline application, Frontline provides the application Identifier (Entity ID), the Reply URL (Assertion Consumer Service URL), the Metadata XML, the roles to create in the IdP, and the required attributes and claims for Asset Management.

After the SSO endpoint is configured, the district must send Frontline the IdP SAML Login URL, the IdP SAML Metadata URL or XML, the SAML certificate, and the certificate thumbprint. This process must be completed separately for each Frontline application.

After that, the district must create and provide a test/support account in the IdP, including the username or domain and password, for Frontline to complete testing.

Set Up Roles or Groups

Asset Management requires the following roles or group names to be created in the IdP. These values must be sent as plain text in the role attribute or claim in the SAML response.

Create an Account for Frontline Asset Management

1. Navigation:
2. Admin View
3. District Settings
4. API and SSO Information

Create an SSO account for Frontline support users in your IdP. This account should be used by Frontline Support Staff and must have a password that does not expire.

• Username: tipweb_it
• Password: <password that does not expire>
• Add to group: TIPWEBIT_ADMINVIEW_ADMIN
• Add an email address such as tipweb_it@DistrictDomainName

Set Up Endpoints

After you configure the SSO endpoint for Asset Management in your IdP, complete the required fields in the Configuration Document and send it to ihdmsupport@frontlineed.com.

Sample SAML Request and Response

Request

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
ID="_591df756-862f-40ff-8b87-2624fbf38c86">
Version="2.0"
IssueInstant="2021-09-10T15:37:21Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
AssertionConsumerServiceURL="https://HayesURL/TIPIDCore/SSO/SAMLConsumer.aspx"
Destination="https://__your_SSO_Login_URL__"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://HayesURL/TIPIDCore/</saml:Issuer>
</samlp:AuthnRequest>

Response

The IdP must return a SAML response to Asset Management similar to the following:

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_93883a0f-fa68-42d7-8444-c61473ea706c" Version="2.0" IssueInstant="2021-09-08T17:49:02.278Z" Destination="https://HayesURL/TIPIDCore/SSO/SAMLConsumer.aspx" InResponseTo="_f9948222-3e11-4592-a0f6-7f15c2812131"><Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://sts.windows.net/90e0c2f4-c0eb-4f28-b0f5-8d2c578af4c8/</Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /></samlp:Status><Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_6cf241dc-38c0-4881-9b8b-cd751eda6701" IssueInstant="2021-09-08T17:49:02.278Z" Version="2.0"><Issuer>https://sts.windows.net/90e0c2f4-c0eb-4f28-b0f5-8d2c578af4c8/</Issuer><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /><Reference URI="#_6cf241dc-38c0-4881-9b8b-cd751eda6701"><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></Transforms><DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /><DigestValue>...</DigestValue></Reference></SignedInfo><SignatureValue>...</SignatureValue><KeyInfo><X509Data><X509Certificate>...</X509Certificate></X509Data></KeyInfo></Signature><Subject><NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">tipweb_it@DistrictDomainName</NameID><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData InResponseTo="_f9948222-3e11-4592-a0f6-7f15c2812131" NotOnOrAfter="2021-09-08T18:49:01.997Z" Recipient="https://HayesURL/TIPIDCore/SSO/SAMLConsumer.aspx"/></SubjectConfirmation></Subject><Conditions NotBefore="2021-09-08T17:44:01.997Z" NotOnOrAfter="2021-09-08T18:49:01.997Z"><AudienceRestriction><Audience>https://HayesURL/TIPIDCore/</Audience></AudienceRestriction></Conditions><AttributeStatement><Attribute Name="http://schemas.microsoft.com/identity/claims/displayname"><AttributeValue>Hayes Support</AttributeValue></Attribute><Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"><AttributeValue>Hayes</AttributeValue></Attribute><Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"><AttributeValue>Support</AttributeValue></Attribute><Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"><AttributeValue>tipweb_it@DistrictDomainName</AttributeValue></Attribute><Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"><AttributeValue>tipweb_it@DistrictDomainName</AttributeValue></Attribute><Attribute Name="role"><AttributeValue>TIPWEBIT_ADMINVIEW_ADMIN</AttributeValue></Attribute></AttributeStatement><AuthnStatement AuthnInstant="2021-09-08T17:39:00.607Z" SessionIndex="_6cf241dc-38c0-4881-9b8b-cd751eda6701"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion></samlp:Response>

Setting Up Google SAML

To integrate Google SAML SSO with Frontline Asset Management, your district must have a valid Google for Education or Google Workspace license. If you do not have a Google Workspace or Google Admin account, see Google Workspace Services.

Complete the following steps so Frontline can configure Asset Management to use SSO with your Google instance:

1. Create Google custom user attributes (roles) for Asset Management and Mobile SSO.
2. Create a Google account for Frontline support users.
3. Add an Identifier Entity ID and ACS URL for each product: Asset Management and Mobile.
4. Map the SAML attributes, including custom user attributes.
5. Populate all users’ custom attributes (roles).
6. Send the account credentials, security certificates, and login details to the Frontline team.
7. Repeat steps 1–6 for Mobile.

Steps

Log in to your Google Admin console. You must be a Google Workspace administrator. Click Users, then select More > Manage Custom Attributes.

Click Add Custom Attributes.

Create a new custom attribute for Asset Management groups. It must be:

• Type: Text
• Visibility: Visible to organization
• Value type: Single Value

Click Save.

Click Apps.

Click Web and mobile apps.

Click and select Add App > Add custom SAML app.

Enter a name for the app and optionally upload an icon.

Download and copy the metadata, SSO URL, entity ID, certificate, and fingerprint, then record them in the Configuration Document. Repeat this process for Mobile. Send both completed documents to Frontline support.

Enter or paste the ACS URL and Entity ID from this document. The Entity ID is the Application Identifier. The ACS URL is the Endpoint Reply URL or Assertion Consumer Service URL. The response must not be signed. Set the Name ID format to Email and the Name ID value to Primary email.

Add the SAML attribute mapping. Be sure to include the custom role attribute that carries each user’s role name.

FAQs