This article provides step-by-step instructions for setting up a third-party SAML Single Sign-On (SSO) profile in Google Workspace to use Skolon as an identity provider. These steps are also described by Google on their support article “Setting up SSO”
Prerequisites:
Administrator access to your Google Workspace Admin Console (admin.google.com)
The following SSO details from Skolon:
IDP Entity ID
Sign-in page URL
Verification certificate file
Step 1: Navigate to SSO Settings
Log in to your Google Admin Console.
From the left-hand menu, navigate to Security > Authentication > SSO with third-party IdPs.
Step 2: Add a Third-Party SSO Profile
Click on "Add SAML profile".
Give the profile a descriptive name, for example, "Skolon SSO for Pupils".
Step 3: Enter Skolon's Identity Provider Details
On the configuration screen, fill in the following fields with the information provided by Skolon:
Entity ID: Enter the Entity ID provided by Skolon.
Example: https://yourorganization.saml-idp.skolon.com
Sign-in page URL: Enter the URL provided by Skolon.
Example: https://saml-idp.skolon.com/singleSignOn/yourorganization/
Sign-out page URL: You can leave this blank.
Change password URL: You can leave this blank.
Verification certificate: Click "Upload certificate" and select the certificate file provided by Skolon.
Click Save.
Step 4: Assign the SSO Profile to an Organizational Unit (OU)
After saving, you will be returned to the "SSO with third-party IdPs" screen. Click on "Manage SSO profile assignments".
Select the Organizational Unit (OU) that contains the pupils you want to assign this login method to. For example, you might select a parent OU named "Pupils".
In the assignment section, select your newly created "Skolon SSO for Pupils" profile from the dropdown menu.
Click "Save".
Step 5: Test the Configuration
Before informing all users, it is highly recommended to test the configuration.
Create a new, temporary OU for testing.
Move a single test pupil account into this OU.
Assign the Skolon SSO profile to this test OU.
In an incognito browser window, attempt to log in to a Google service (like
classroom.google.com
) with the test pupil's email address. You should be redirected to the Skolon login page.
Once you have confirmed that the login works as expected, you can proceed with assigning the SSO profile to the primary pupil OUs.