In Favro, navigate to Administration > Authentication methods > Single Sign-On settings > Configure.
Input the domain you want to use for SAML authentication and click on Add domain to continue.
Follow the on-screen instructions in Favro to complete the domain verification process.
In Google Workspace, navigate to Apps > Web and mobile apps > Add app > Add custom SAML app.
Define the app name and proceed to the second step.
While on the Step 2, copy:
• SSO URL from Google Workspace and paste it to SAML login url in field Favro.
• Certificate from Google Workspace and past it to SAML identity provider certificate field in Favro.
• The Entity ID field will not be used.
and Continue.
On the next screen, fill in:
• ACS URL: https://favro.com/saml/assert
• Entity ID: https://favro.com/saml/metadata.xml
Make sure Name ID settings are configured as follows:
• Name ID format is set to EMAIL.
• Name ID is set to Basic information > Primary email
Finish the setup.
Make sure the SAML integration app you just created is enabled for the correct users and groups. In the example below, we have enabled the integration for all users.
Save the changes and test the SAML integration.
Assigning Favro Role to users via SAML
In Google Workspace navigate to Directory > Users > More Options > Manage custom attributes.
Next, click ADD CUSTOM ATTRIBUTE.
Populate the fields:
- Category: Favro
- Name: favroRole
- Info type: Text
- Visibility: Visible to user and admin
- Number of values: Single value
and click ADD.
Navigate to Apps > Web and mobile apps > Favro SAML app we have created earlier > SAML attribute mapping and add the following mapping: Favro > favroRole -> favroRole.
SAVE the changes.
To assign role to users, we can now edit user's profile directly in the Google Workspace. Navigate to Directory > Users > Open the user you wish to edit > Expand the User information section > edit the favroRole value.
The user will be assigned their new role in Favro on the next login.
(Important) If the favroRole value is not defined, users will be provisioned with the Full Member role by default. You may change this behavior by specifying a desired role. For available roles, see the SAML Single Sign-On section of the Favro API reference for more details.