This document provides guidelines on how to configure Workvivo to authenticate via Single Sign On (SSO) using Google Workspace as the identity provider (IdP) solution - within a multi-tenant SAML2 SSO configuration.
This setup is specific to managing multiple SSO tenants, including a Google Workspace tenant.
The information contained in this document is intended as a guideline only – there may be significant differences in any given Google Workspace configuration that require a different approach to be taken.
Please note: Ahead of setup, you will need to know which team will be directed to which SSO tenant. That is the logic we will use to direct the user to the correct log-in screen. The team would need to be maintained via user provisioning.
1. Start the configuration on Workvivo
Once you have identified the team to associate with your Google SSO tenant, you can begin the configuration in Workvivo.
Firstly you will need the "IT Administrator" role on Workvivo - this can be granted by a current Admin, or your Workvivo point of contact.
Once you have been granted this role, navigate to the Admin section > Authentication and System Settings.
Under Authentication Mode, choose Multi Tenant SSO or Password
Next, select Add New Tenant
Enter a Name for your New SSO Tenant
Note: this is just a label for you to identify your sso tenant, for example 'Google SSO - Company A'
On the next screen, you will find the specific Entity ID and ACS URL to enter into Google Workspace for this tenant. Copy and save these elsewhere for now, so you can retrieve them for the later steps.
Once you have saved the URLs, next you will need the metadata details from Google workspace.
2. Set up Workvivo as a Custom SAML App in Google Workspace
To begin configuring Workvivo in Google Workspace, the first step is to add it as a custom app.
From the Google Workspace Admin console Home page, go to Apps and then Web & Mobile Apps.
Click Add App, then select "Add Custom SAML App"
Enter a name for the App, for example Workvivo. You have the option to choose an App Icon, and select Continue.
Choose Option 1 to download your IdP metadata. Alternatively, copy the SSO URL, Entity ID and Certificate from Option 2 to enter these details directly on Workvivo later
In the Service provider details screen, enter the below values using the URLs you copied directly from Workvivo previously to populate the ACS URL and Entity ID fields
- ACS URL: https://[companyname].workvivo[.com][.us][.me]/saml/acs-multi/[hashvalue]
- Entity ID: https://[companyname].workvivo[.com][.us][.me]/saml/metadata-multi/[hashvalue]
- Name ID Format: EMAIL
- Name ID: Basic Information, Primary Email
*Note - depending on whether your Workvivo instance is hosted on our EU, US, or UAE data center, make sure you enter the correct domain. It will either by workvivo.com, workvivo.us, or workvivo.me. The format may also differ if your organisation has configured a custom domain name for Workvivo. If you do not know your Workvivo domain name, please contact our support team via 'Submit a request' for assistance.
Click "Continue" to move to the next step.
Create a new mapping for Basic Information: Primary Email to Email
Click "Finish"
3. Enable SSO for Users
The next step is to turn the app on for all employees.
From the Admin console Home page, go to Apps and then Web & Mobile Apps and select your new Workvivo SAML app.
Click to expand the panel on the top right.
To apply settings for all users, check the 'ON for everyone' radio button and then click "Save".
To apply settings to individual organisational units, select the relevant organisational unit that contains the users whose settings you want to change from the list on the left hand side. To change the setting, elect On or Off.
4. Complete the configuration on Workvivo
Return to Workvivo to add the required metadata details you downloaded from the IdP Metadata URL (Option 1) . You can also copy and paste the three values listed below directly from Google Workspace (Option 2).
1. Entity ID → IdP Entity ID
2. SSO URL → SSO Service URL
3. Certificate → X.509 Certificate
Note: The Option to Force Google Account Chooser allows the user to select the correct Google account when multiple accounts are logged in
To complete the configuration, choose the team to link to this specific tenant
Once the setup is complete, your new tenant will be listed under SSO Tenants
5. Testing SSO
To test that SSO has been configured correctly:
- Ensure the user profile has been created on Workvivo either manually or via SCIM provisioning.
- The user will need to be assigned to the team linked to the SSO tenant.
- Open your Workvivo URL in a private/incognito browser window.
- Enter your sign-in credentials.
- Once authenticated, you should be automatically redirected back to the Workvivo app.
* Please note that if the SAML X509 Certificate is updated on Google this can take up to 24 hours to come into effect.