Note: You will need Configurator access to enable SSO. You must also be an admin of your organisation's Google account with permission to create new SAML apps.
Configuring the single sign-on app
Please follow the steps below to configure SAML SSO using Google for your Talos Perform account:
Turn on the Single sign-on with SAML setting in Configuration > Security > Single sign-on
2. Take note of the following values as we'll need them later:
ACS (Consumer) URL
Issuer ID
Default Relay State
In a new tab, log into your Google admin centre. Then select Home>Apps>Web and mobile apps. Press on 'Add app' and select 'Add a custom SAML app'
Provide an app Name and Description which will be shown to your employees. We suggest:
Name: Talos Perform
Description: Talos Perform is the online platform used for our performance management at [Company Name] including reviews, objective tracking and peer feedback.Add an app icon, then press 'Continue'. You can download the Appraisd app icon here
You will be shown IdP metadata on the next page which we need to copy and paste into the Talos Perform single sign-on configuration page we have open in the other tab.
SSO URL -> Identity Provider Single Sign-On URL
Entity ID -> Identity Provider Issuer URL
Certificate - > X.509 Certificate
Make sure you save each field once you've pasted in the correct information.
Back in the Google admin centre, press 'Continue'.
Copy data from the Talos Perform single sign-on section into the Service provider details in the Google admin centre.
ACS (Consumer) URL -> ACS URL
Issuer ID -> Entity ID
Default Relay State -> Start URL (and tick 'Signed response')
In the 'Name ID' section choose 'EMAIL' from the 'Name ID format' dropdown
Select 'Continue'.
Most organisations do not need to add attributes or Group membership values. Just press 'Finish'
We now need to configure which of your users can access Talos Perform using the Google SSO app. To do this click on the 'User access' panel.
For most organisations you will want to turn on the service for all users, but you can do it by turning on the SAML app for only specific user groups if needed. In our example case we will turn on the service for all users and press 'Save'.
Sign out of Talos Perform in the other tab and navigate back to the SAML app overview page and press on 'TEST SAML LOGIN'. You should see a new browser tab open up where you may be asked to input your Google credentials and then you'll be logged into Talos Perform and re-directed to the dashboard.
Go to the SAML section of configuration and copy the 'Service-initiated login URL'.
Log out of Talos Perform. Then confirm that you can use the 'Service-initiated login URL' to log into Talos Perform.
Once you've confirm that your new Google SAML app is working, you can use the configuration area in Talos Perform to allow access exclusively via SSO and switch off password access - this will make the system more secure.
When your employees enter their email address, the SSO button will automatically load.
Troubleshooting
Here are things to check if SSO is not working:
If you find some users cannot log in using SSO but some can, then it's unlikely to be a problem with Talos Perform or the way you've configured your connection with Talos Perform. Instead, ask them to try a different browser, and check that they have been configured in your identity provider with the same privileges to access the application profile as you.
Make sure the NameID being passed to Talos Perform is set to be the user's email address
Ensure the email address in the identity provider matches the email in Talos Perform exactly
Are some people signed in to Chrome with two identities (eg one for work, one for personal)? If so, it could be trying to log in to Talos Perform with their personal email address, not their work email. You can test this by signing out of the personal account and trying to log in again. If that's the problem, contact support@appraisd.com.