Configure SAML-based single sign-on (SSO) with Google Workspace

Who can use this feature?

🔐 Only team owners and admins can configure single sign-on (SSO)

⭐️ Available on the Standard plan.

Step 1: Prepare the configuration

  1. Log in to Nuclino.

  2. Open your Team settings by opening the main menu in the top left corner of the app, clicking on your team name, and then choosing Team settings.

    nuclino-settings-gif_outline
  3. Go to the Authentication section and choose SAML-based single sign-on (SSO).

  4. Note the ACS URL and Entity ID.

Step 2: Set up Google Workspace for Nuclino

  1. Make sure you are a Google Workspace super administrator for this task.

  2. Go to the Google Admin console.

  3. Go to Apps > Web and mobile apps and select Add app > Add custom SAML app.

    google-workspace-sso-1_outline
  4. Enter the App details and click Continue.

    google-workspace-sso-2_outline
  5. Note the SSO URL, Entity ID, and certificate text. You'll later need to enter the SSO URL, Entity ID, and the certificate text in your Nuclino team settings.

    google-workspace-sso-3_outline
  6. Fill out the form:

    1. ACS URL: Enter your ACS URL from Step 1

    2. Entity ID: Enter your Entity ID from Step 1

    3. Check Signed response.

    4. Name ID format: EMAIL

    5. Name ID: Basic Information > Primary email

    google-workspace-sso-4_outline
  7. Set the following attributes:

    • Basic Information > First name → first_name

    • Basic Information > Last name → last_name

    google-workspace-sso-5_outline
  8. Click on the User access panel.

    google-workspace-sso-6_outline
  9. Select ON for everyone and click Save.

    google-workspace-sso-7_outline

⚠️ After configuring SSO, the changes need time to propagate to all users in Google Workspace, and in the first 24 hours, you may encounter a 403 or 500 error when authenticating via SSO on the Google Workspace login page. The time for propagation can vary from several hours all the way up to 24, depending on the size of your organization.

Step 3: Integrate Nuclino with your identity provider

  1. Log in to Nuclino.

  2. Click the menu button in the top left corner to open the main menu.

  3. Click on your team name and select Team settings.

  4. Go to the Authentication section and choose SAML-based single sign-on (SSO)

  5. Enter the following information

    1. SSO URL: Enter the SSO URL you've noted in Step 2

    2. IDP Entity ID: Enter the Entity ID you've noted in Step 2

    3. Public certificate: Enter the certificate text you've noted in Step 2

  6. Click Save changes.

  7. Optional: Enforce single sign-on (SSO)

After you have successfully set up SSO

Your team can now sign up and log in via your team URL which you can find in your team settings in the Authentication section.

  • People who already have a Nuclino account with the same email address as their SSO account can choose to link this account. Afterwards, they can log in using their existing Nuclino account or use SSO instead.

  • For people who don't have a Nuclino account yet, a new account is provisioned when they log in for the first time using your team URL.

Users who have already set up SSO for their Nuclino account can also go to the normal login (https://app.nuclino.com/login) and select Log in via single sign-on (SSO).

Troubleshooting

After configuring SSO, the changes need time to propagate to all users in Google Workspace, and in the first 24 hours, you may encounter a 403 or 500 error when authenticating via SSO on the Google Workspace login page. The time for propagation can vary from several hours all the way up to 24, depending on the size of your organization.

Questions?

If you have any questions or need help to set up SSO for Nuclino, please contact us.