Setting up MyLogin as the identity provider for Chrome OS devices / Google Workspace

Have more questions? Submit a request

Prerequisites

To configure MyLogin as an identity provider (IdP) for the Google Workspace the following prerequisites must be met:

  • You must have Google Workspace setup and devices provisioned in an OU.
  • Access to Google Workspace as a super admin.


Complete the MyLogin Device setup wizard


Step by Step guide:

  1. Navigate to school.wonde.com and log into your school's Wonde School Portal.

  2. Mouse over the MyLogin Device tile and click Launch (click on the tile and approve the permissions for MyLogin to access the required data via Wonde first, if you haven't yet done so).
  3. Create a password for your MyLogin admin account.



  4. Confirm you want to use Wonde as the source of truth for user creation.



  5. Your new MyLogin users will begin to import from your MIS via Wonde.



  6. When your users finish importing, click Lets go! to move to the final stage of the setup wizard.



  7. Select Connect with Google to connect MyLogin to your Google account. If you'd like to connect both Google and Microsoft, you will be able to add Microsoft in Settings once the setup wizard is complete.
    Note: Please make sure app.mylogin.com is allowed on your network.



  8. You can select your user domain and the Organisational Units from which you'd like to make users available for matching.



  9. Save settings, and then go to Manage connection and Sync users from Google.


  10. After you have linked the Google Workspace from step 10 you will need to go inside MyLogin to Users > User matching and match the Google users to the Wonde data. You can filter the list along the top. We suggest filtering via "suggestion confidence" and then "strong". Look through the list to ensure all users match and then you can toggle the top left box to select all filtered users and select "accept suggestions for Microsoft". Do the same for Medium and Weak but please ensure that you carefully look through to make sure MyLogin is matching them correctly.


  11. Once all users are matched you may wish to consider distributing the credentials out to users before proceeding to make MyLogin the IDP for the Google environment. To do this head to Users > Overview and you can use the filters to narrow down the list where you can toggle the top left box to select all the currently filtered users and then choose which credentials to download (Press the "download" button). This will provide you with a PDF which you can rename to suit. Repeat this for all groups as necessary. 

 

Set up your Google Workspace tenant for signing into Chromebooks using your MyLogin credentials


Step by Step guide:

  1. Navigate to Security > Authentication > SSO with third-party IdP.

  2. Click on Third-party SSO profile for your organisation at the top of the page.

  3. For the Sign-in page URL enter https://app.mylogin.com/saml/login (in Australia use app-ap-southeast.mylogin.com/saml/login). 

  4. For the Sign-out page URL enter https://app.mylogin.com/logout 

  5. Obtain your MyLogin Organisation ID from your MyLogin admin dashboard Settings page under Account, as in the screenshot below. Add your MyLogin Organisation ID to the end of the login URL e.g. https://app.mylogin.com/saml/login/A129183376 



  6. Download our Identity Provider certificate from https://app.mylogin.com/downloads/cert.pem

  7. Upload the certificate under Verification certificate.

  8. Enable Use a domain-specific issuer.

    Note:
    You can set up MyLogin as an additional SSO profile rather than the main organisation third-party IdP SSO profile by clicking Add SAML profile under Third-party SSO profiles. You will need to include the entity ID, which will be https://app.mylogin.com/saml/metadata/ and you'll also need to apply the MyLogin organisation ID to the end of the URL which you can find by following step 5 above.

    You will also need to set this SSO profile in Manage SSO profile assignments (which is on the same) to the organisational unit(s) in which you find the devices you want to use MyLogin as the identity provider.

  9. At the bottom of the section, click Save.

  10. Navigate to Devices > Chrome > Settings > Device Settings

  11. Select the Organisational Unit you are using for your MyLogin-enabled Chromebooks on the left-hand side.

  12. Under Single Sign-On IdP Redirection, set Redirect users to SAML SSO IdP to Allow users to go directly to SAML SSO IdP page.

  13. Under Single Sign-On Camera Permissions, add https://app.mylogin.com (in Australia use app-ap-southeast.mylogin.com) (coming soon) 

  14. Under User data, select Erase all local user data.

  15. At the top of the page, click Save.

  16. Navigate to Devices > Chrome > Settings > User & browsers.

  17. Select the organisational unit(s) that you want to affect with the third-party IdP on the left of the page.

  18. Under Security > Single sign-on, set SAML-based Single Sign-On for Chrome OS Devices to Enable SAML-based single sign-on for Chrome devices.

  19. Search for Cookies; under Content, set Default Cookie Setting to Allow the user to decide or Allow cookies.

  20. At the top of the page, click Save.


Additional settings

The following steps can provide the best user experience, they are not mandatory for MyLogin Device's functionality.

  1. Navigate to Chrome > Devices > Users and browsers.

  2. Select the Organisational Unit containing the users who will be logging in with Chromebooks.

  3. Under Security, set Lock Screen to Do not allow locking screen.

  4. Under Idle Settings, set Action on idle to Logout, Action on lid close to Logout, and Lock screen on sleep to Lock screen.

  5. If using MyLogin SSO. Under Pages to Load on Startup, enter https://app.mylogin.com. If not using the MyLogin SSO system please do not add this.

  6. At the bottom of the section, click Save.

 

Setting up MyLogin as an identity provider for select organisational units


By following the steps
below, users in the organisational units you choose to be affected by MyLogin as your Google identity provider will be required to log into Google Workspace with MyLogin credentials on ANY device.

  1. In the Google Admin Console, navigate to Security > Authentication > SSO with third party IdP and scroll to the bottom of the page. Under Manage SSO profile assignments for organisational units or groups, click Get Started (or "Manage" if you have used this area before).

  2. Select an Organisational Unit on the left-hand side of the page as marked in red below, and then select Organisation's third-party SSO profile on the right-hand side of the page. Alternatively, if you want the users in the Organisational Unit you have selected to use Google credentials to access Google Workspace, select None

(If you select Organisation's third-party SSO profile and you want to use MyLogin as the IdP for Google Workspace, then you need to ensure you've followed the steps earlier in this guide to select SAML SSO login as the form of authentication for the selected Organisational Unit).

Articles in this section

Was this article helpful?
0 out of 0 found this helpful
Share

Comments

0 comments

Please sign in to leave a comment.