This article outlines how to set up and configure SAML based Single Sign-On for Sequr with G Suite as your Identity Provider(IdP). We support both IdP initiated SSO as well as SP initiated SSO.

How to Configure Your G Suite with SAML App

  • As an administrator on your office's Google account, navigate to your admin portal and click through to Apps > SAML Apps.
  • You will see a list of your existing SAML apps. Click the round, yellow '+' button at the bottom right corner of your screen to add a new one.
  • Select the "Setup My Own Custom App" option near the bottom of the window.

Google IDP Information

  • Next you'll see your specific Identity Provider information. In a short while you will need this information to configure Sequr. Please copy your "SSO URL" and download the X.509 "Certificate." 

Basic App Information

  • Click 'Next' to setup the basic app information. Name the SAML app and upload an icon to make it easy to find. You can download our official icon here.

Service Provider Details

  • Click 'Next' to enter your Service Provider details. This is a very important step. Please enter the following values carefully. 

ACS URL: https://login.sequr.io/assertion?RelayState=<your-relaystate-id>
Entity ID: https://login.sequr.io
Start URL: Leave empty
Signed Response: Leave it as is (unchecked)
Name ID: Select "Basic Information" and "Primary Email"
Name ID Format: Leave it as is ('Unspecified')

Note : Please make sure to enter the correct value for "RelayState". You can find your company specific "RelayState" id on your Sequr dashboard as described below in SP configuration section. At this point you can leave it blank but later come back and enter the correct value. 

  • Click the 'Next' button. The next page will ask you to map any attributes. You will not need to map any attributes. Just click the 'Finish' button to save your settings. 
  • Once the app is configured, it will not work until you turn it on for your domain. You can turn in on for everyone in your organization or for specific organizations. In most cases you will need to turn it on for everyone. 

Configuring Your Sequr Account With G Suite

  1. Login to your Sequr web portal and navigate to the "Integrations" page. Under the Single Sign-On SAML integration box, click "Install." 

       2.  Enter the G Suite Identity Provider's values that you obtained earlier. 

  • In the 'Identity Provider Single Sign-On URL' box, enter your G Suite 'SSO URL.' 
  • Drag and drop or manually enter the G Suite X.509 certificate that you downloaded earlier. 

   3. Click 'Install' to save the values.


4. Please copy the "RelayState" id for your account and go back to G suite configuration. In G Suite SAML app configuration please make sure you have entered the correct ACS URL with correct RelayState Id. In above example screenshot its 15.
ACS URL: https://login.sequr.io/assertion?RelayState=<your-relaystate-id>

At this point Single Sign-On will be enabled for all of your admins and employees.

# Exempt Users From Single Sign-On

There could be cases where you may want to exempt certain users from single sign-on process. For example, you may want to send "mobile key" to your vendors, contractors who are not on your Identify platform. Its really easy to add SSO exemption with Sequr once you have enabled SAML integration

  • Go to Integrations > SAML Integration > Exempted Users
  • Click on "Add SSO Exemption". Search and add any existing user to exempt them from SSO.

Notes : 

  • if you have already assigned "Mobile Key" prior to adding user to SSO exemption then please go to user profile and click on "Resend Sign-up Email". This time user will receive notification with registration link to signup. 

# SSO Back Door URL 

Sometimes, there might be a mistake in the SAML configuration – or something changes in SAML IDP endpoints. In any case, you do not want to be completely locked out. Having a backdoor available for Admins to use to access a locked system becomes extremely important. 

You can enable SSO backdoor as shown below. "SSO backdoor" URL only works for Administrators. Sequr "SSO backdoor" URL is : https://login.sequr.io/?sso=false

# How to Disable Single Sign-On

To disable SAML SSO, navigate to the "Integrations" page on your Sequr dashboard. Click "Manage" under the Single Sign-On SAML integration box. Next click on the "Edit" button, then click "Delete."

If you need assistance setting up SAML-based SSO for your organization, or if you'd like to share feedback, you can always reach the Sequr Support Team via live chat in your Sequr web app. You can also contact us via email at support@sequr.io.

Did this answer your question?