Please note that SSO is only available on the Master plan.
 
SSO/SAML enables members of an identity provider (IdP) of your choice to access Resource Guru without having to set up a separate Resource Guru ID (login). Resource Guru's SSO works with any IdP that supports SAML 2.0 including Google G Suite, Microsoft Azure, Okta, Ping Identity, Ping Federate, OneLogin, Bitium, LastPass, Centrify, Clearlogin, Auth0 and many others. Setting up SSO can be a bit tricky so we’ve provided a guide below using Google G Suite as the IdP.

Configuring SSO using Google G Suite as an example

Sign into G Suite Admin, click on Apps, then click on SAML Apps.
 

Click on the plus sign in the bottom right corner to add an app.

Click Setup My Own Custom App.


 
Download the Certificate and make a note of the SSO URL and Entity ID - we'll use these later. Now click Next.


Add “Resource Guru” as the Application Name, then enter an option description and upload the Resource Guru logo if you want to (this will appear for users in their Google menu). Then click Next.
 
Leave this page open and login to Resource Guru in a separate tab.
 


Head on over to your Settings in Resource Guru, and click SSO followed by Configure SSO.
 


 
Copy your ACS URL and Entity ID from Resource Guru into G Suite.
 


Make sure the Name ID is set to "Basic Information" and "Primary Email". Change the Name ID Format to "EMAIL", then click Next.
 
The next step in Google allows you to add mapping - this is optional and not required. If you don’t wish to map attributes just click Finish. If you do wish to map attributes, click Add New Mapping.
 


 
Enter “first_name” into the Application attribute field, then choose Basic Information and First Name from the following drop down boxes.
 
Enter “last_name” into the Application attribute field, then choose Basic Information and Last Name from the following drop down boxes.
 
Click Finish.
 


 
Then, in G Suite > Apps > SAML Apps, turn the service ON for everyone.
 


 
Head back over to Resource Guru and paste the SSO URL and Entity ID from G Suite into the relevant fields.
 
Enter the email domain for your organisation (eg @mycompany.com) and upload the certificate you downloaded from G Suite earlier.
 
If you would like anyone with a company email address (eg @mycompany.com) to be able to automatically set up a Resource Guru account then choose Self-service. Alternatively, if you only want people to be able to set up accounts if they have been invited into the account then choose Users must be invited.
 
If you want to prevent people from accessing your account after they have been removed from your IdP, choose SSO only. This setting provides centralised access control to your account via your IdP. Please note that account owners will still be able to log in using their Resource Guru ID (email & password) - this prevents everyone being locked out if the connection with your IdP fails for any reason.
 
Finally, click Add Configuration.
 


 
Users from your company will now be able to log into Resource Guru with their email address by using the link above on the login page.

Guru Tip

If SSO only is switched on, only the account owner will be able to access the API. This is because users can’t use their Resource Guru ID to log in when SSO only is enabled and we can’t use SSO to determine whether API access should be granted or not.

Configuring SSO using Microsoft ADSF

Go to Settings > SSO > Configure SSO.

Make a note of the ACS URL and Entity ID

On ADFS

Add relying party:

  • Check Enable support for the SAML 2.0 WebSSO protocolEnter the ACS URL from Resource Guru into the SAML 2.0 SSO service URL field
  • Relying party trust identifierAdd the Entity ID from Resource Guru

Add claim rules:

  1. Click Add Rule. Create a Send LDAP Attributes as Claims rule.
  2. On the next screen, using Active Directory as your attribute store, do the following:From the LDAP Attribute column, select E-Mail AddressFrom the Outgoing Claim Type, select E-Mail AddressClick on OK to save the new rule
  3. Create another new rule by clicking Add Rule, this time selecting Transform an Incoming Claim as the template.
  4. On the next screen:Select E-mail Address as the Incoming Claim TypeFor Outgoing Claim Type, select Name IDFor Outgoing Name ID Format, select EmailLeave the rule to the default of Pass through all claim valuesFinally, click OK to create the claim rule, and then OK again to finish creating rules.

Head back over to Resource Guru and paste the SSO URL into the relevant field. You'll use your full ADFS server URL with the SAML endpoint as the SSO URL. It's normally something like https://<adfsserver>/adfs/ls

Then enter your IdP Entity ID - this is your subdomain.

To obtain your IdP X509 Certificate:

  1. Log into the ADFS server and open the management console
  2. Right-click Service > Certificate
  3. Right-click the certificate and select View Certificate
  4. Select the Details tab
  5. Click Copy to File. The Certificate Export Wizard opens.
  6. Select Next. Ensure the No, do not export the private key option is selected, and then click Next
  7. Select DER encoded binary X.509 (.cer), and then click Next
  8. Select where you want to save the file and give it a name. Click Next
  9. Select Finish.
  10. Upload the saved X509 certificate to Resource Guru.

If you would like anyone with a company email address (eg @mycompany.com) to be able to automatically set up a Resource Guru account then choose Self-service. Alternatively, if you only want people to be able to set up accounts if they have been invited into the account then choose Users must be invited.
 
If you want to prevent people from accessing your account after they have been removed from your IdP, choose SSO only. This setting provides centralised access control to your account via your IdP. Please note that account owners will still be able to log in using their Resource Guru ID (email & password) - this prevents everyone being locked out if the connection with your IdP fails for any reason.
Finally, click Add Configuration.

Users from your company will now be able to log into Resource Guru with their email address by using the link above on the login page.

Did this answer your question?