Configure SSO with Google Workspace

Pipedream supports Single Sign-On (SSO) with Google Workspace. This guide shows you how to configure SSO in Pipedream to authenticate with your Google org.

• Requirements
• Configuration
• Important details

Requirements

• SSO is only supported for workspaces on the Business and Enterprise plans. Visit the Pipedream pricing page (opens new window) to upgrade.
• You need an administrator of your Pipedream workspace and someone who can create SAML apps in Google Workspace (opens new window) to configure SSO.

Configuration

To configure SSO in Pipedream, you need to set up a SAML application (opens new window) in Google Workspace. If you're a Google Workspace admin, you're all set. Otherwise, coordinate with a Google Workspace admin before you continue.

1. In your Google Workspace admin console, select Apps > Web and Mobile apps

2. In the Add app menu, select the option to Add custom SAML app:

3. First, add Pipedream as the app name, and an app description that makes sense for your organization:

4. Continue past the configuration step:

5. In the Service provider details, provide the following values:

• ACS URL — https://api.pipedream.com/auth/saml/consume
• Entity ID — Pipedream
• Start URL — https://api.pipedream.com/auth/saml/<your workspace name>

replacing <your workspace name> with the workspace name at https://pipedream.com/settings/account (opens new window). For example, if your workspace name is example-workspace, your start URL will be https://api.pipedream.com/auth/saml/example-workspace.

In the Name ID section, provide these values:

• Name ID format — EMAIL
• Name ID — Basic Information > Primary email

then press Continue.

6. Once the app is configured, visit the User access section to add Google Workspace users to your Pipedream SAML app. See step 14 of the Google Workspace SAML docs (opens new window) for more detail.

7. Pipedream requires access to SAML metadata at a publicly-accessible URL. This communicates public metadata about the identity provider (Google Workspace) that Pipedream can use to configure the SAML setup in Pipedream.

First, click the Download Metadata button on the left of the app configuration page:

Host this file on a public web server where Pipedream can access it via URL, for example: https://example.com/metadata.xml. You'll use that URL in the next step.

8. In Pipedream, visit your workspace's authentication settings (opens new window).
9. In the Single Sign-On section, select SAML, and add the URL from step 7 above in the Metadata URL field, then click Save.

Any user in your workspace can now log into Pipedream at https://pipedream.com/auth/sso (opens new window) by entering your workspaces's name (found in your Settings (opens new window)). You can also access your SSO sign in URL directly by visiting https://pipedream.com/auth/sso/your-workspace-name (opens new window), where your-workspace-name is the name of your workspace.

Important details

Before you configure the application in Google, make sure all your users have matching email addresses for their Pipedream user profile and their Google Workspace profile. Once SSO is enabled, they will not be able to change their Pipedream email address.

If a user's Pipedream email does not match the email in their Google profile, they will not be able to log in.

If existing users signed up for Pipedream using an email and password, they will no longer be able to do so. They will only be able to sign in using SSO.