This article outlines the steps needed to enable Single Sign On (SSO) between Share911 and Google via SAML 2.0. SSO integration means that staff will be able to use their existing company password and authenticate with your organization's existing Google roster to gain access to Share911.
Staff will still be required to create a Share911-specific password when enrolling so that they will have access when outside the corporate network.
You will need to have one user already created in Share911 with Manage Channel permissions on your organization's top-level channel.
1. Access your top-level channel Integrations page in Share911
First let's log in to Share911 with our administrator account. We should see multiple channels, including our organization's top-level channel. For example, if our normal channel is found at:
...then our top-level channel will be found at
If you do not see your organization's top-level channel, please contact firstname.lastname@example.org and we will help you gain access.
Next, we can navigate to the "Channel Integrations" page, by clicking on our name in the top right, then Manage Channels, and Integrations.
Then, type "https://share911.com" in the Issuer field. (We will get the Metadata Url value later from Google.)
Last, copy the value of the Share911 Assertion Consumer Service Url field. For example, "https://share911.com/saml/sharevilledemo/consume". We will need this information when we create the Share911 application in Google.
2. Create a Share911 application in Google
First, log into Google Admin. Then select Apps and select "SAML apps"
Create new SAML app
Setup My Own Custom App
Google IdP Information
Download the IDP Metadata and upload it to a publicly-available location. We will use the public URL of the IDP metadata later in Step 4.
Basic Information for your Custom App
A 256x256 pixel logo for Share911 can be found here.
Service Provider Details
The ACS URL is what we copied in Step 1, the Share911 Assertion Consumer Service URL.
There are no attribute mappings required so just click Finish.
3. Turn on the Share911 app in Google
Now that we've created our Share911 application, let's give people permission to use it. If you would like to start testing Share911 with a few staff first, you can assign individual people. Otherwise, you can assign whichever Groups make sense for your organizational structure.
4. Enter Google-specific information into Share911
Now we need to copy the public URL of the IDP Metadata file that you downloaded from Google. Share911 uses this to make the SAML requests. If you need assistance making the IDP Metadata file publicly available, please email the file to email@example.com and we will host it on our own CDN.
Once we have the URL copied, we can switch back to our Share911 browser tab and paste that into the Metadata Url field. Now our set up is complete in both Google and Share911 so we can check the Enable integration? switch to turn on SSO.
5. Ensure Registration email domain is set properly in Share911
At this point our SAML integration is completed but we also need to ensure that Share911 knows to attempt a SAML login for our users. To do this we need to ensure that the email domains set in the Share911 Registration page are correct for your organization. Only domains included here will be eligible to use SAML SSO.
Let's check by first clicking "< Channel Integrations" to go back to the main Manage Channel page, then selecting "Registration" to open the "User Registration" page.
Ensure that the Email Domains field has the correct email domain(s) for your organization. Since we do not want staff to be able to join this top-level channel when Self-Registering, let's also check the "Require administrator approval..." check box. (This is just a precaution and does not usually happen).
6. Test SSO login to Share911
Now we can test our SAML integration. To do so, let's log out of our Share911 account and re-enter our email address into the Share911 login page. We should now see the option to "Log in with SAML".
Clicking that link will initiate a SSO SAML request to Google and should grant access to our Share911 account. If not, please contact firstname.lastname@example.org so that we can help troubleshoot what went wrong.
Share911 will remember our last login method so the next time that we visits the Share911 login screen, we will see this form instead:
And we're done!