Single Sign-On Using Google Workspace

Follow our guide to set up single sign-on (SSO) into Fivetran using the Google Workspace custom SAML application.

Prerequisites

To use Google Workspace SSO with Fivetran, you need Google Workspace and Fivetran accounts.

In Google Workplace

Add the custom SAML application for Fivetran

1. Log in to your Google Admin account and go to Apps/Web and mobile apps.

   

2. In the panel, select Add App.

   

3. Click Add custom SAML app.

   

4. Enter Fivetran as the application name.

5. Click Continue to switch to the Google Identity Provider details page.

   

Get Sign on URL, Issuer and Public certificate

1. Make a note of the SSO URL. This is the Sign on URL in Fivetran.

2. Make a note of the Entity ID. This is the Issuer in Fivetran.

3. Download the Certificate. Open the downloaded certificate file in any text editor. The certificate is a string inside the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- statements. Make a note of it. You will enter it in the Public certificate field in Fivetran.

   

4. Click Continue to switch to the Service provider details page.

Configure the custom SAML application for Fivetran

1. Enter https://fivetran.com/login/saml/return as the ACS URL.

2. Fill the Entity ID field with a memorable value (for example, "Fivetran"). You'll enter this same value in the Application identifier (Entity ID) field in Fivetran.

3. Leave the Start URL empty and the Signed response checkbox clear.

   

4. Set the Name ID format to UNSPECIFIED.

5. Set the Name ID to Basic Information > Primary email.

   

6. Click Continue to switch to the Attribute mapping page.

7. Click ADD MAPPING twice.

   

8. Select the Basic Information/First name in the Google Directory attributes for the first row.

9. Enter FirstName in the App attributes for the first row.

10. Select the Basic Information/Last name in the Google Directory attributes for the second row.

11. Enter LastName in the App attributes for the second row.

    

12. Click FINISH.

Enabling user access to the custom SAML application for Fivetran

1. By default, the custom SAML application created for Fivetran isn't accessible to users. Click OFF for everyone.

   

   NOTE: This example assumes you are enabling the application for everyone. Read Google's article "Apply policies to different users" to learn about applying policies to different users.

2. Click ON for everyone.

3. Click SAVE. Changes may take up to 24 hours to propagate to all users.

   

In Fivetran

NOTE: By default, Fivetran allows Just-In-Time (JIT) user provisioning. If you don't have a Fivetran user for the specified OneLogin user, the Fivetran user will be created automatically with the read-only access. To grant the newly created user the relevant role with the corresponding permissions, log in as a Fivetran user with the Users: Manage permission and manage the user's roles and permissions on the Users tab of the Users & Permissions page.

1. In Fivetran, click Account Settings > General.

2. On the Account Settings tab, under Authentication Settings, switch the Enable SAML authentication toggle to ON.

3. Under SAML Config, in the Sign on URL, Issuer, Public certificate, and Application identifier (Entity ID) fields, enter the values you found in Step 2 and Step 3.

   

4. Click Save Config. You'll see the message Account settings successfully saved.

Testing SSO (Optional)

To test SSO, follow these steps:

1. Log in to the Google account you have granted access to.

2. Select the Fivetran button from the App selector. You will be redirected to your Fivetran dashboard.

   

Restrict login to SSO

Follow the steps below to restrict logins to SSO only:

1. Log in to the Fivetran dashboard.
2. In the bottom left menu, click Account Settings > General.
3. Go to the Account Settings tab.
4. In the Authentication Settings section, set the Required authentication type to SAML or Google OAuth.

NOTE: When the Required authentication type is set to None, users can log in either with SSO or with their email and password.