Switching over from Wonde Single Sign-On to MyLogin? Click here.
Prerequisites

To configure MyLogin as an identity provider (IdP) for the Google Workspace the following prerequisites must be met:

• You must have Google Workspace setup and devices provisioned in an OU.
• Access to Google Workspace as a super admin.
• Finally, make sure that all of the following URLs have been added to any relevant allowlists:-
  https://app.mylogin.com, https://app.eu-west.mylogin.com and https://accounts.google.co.uk and if you have any difficulty that you suspect to be related to more stringent web-filtering or firewalls, then please additionally add all of the following:-
  https://*.fontawesome.com, https://*.cloudfront.net, https://*.cloudflare.com, https://ssl.gstatic.com, https://*.typekit.net, https://*.amazonaws.com, https://*.jquery.com, https://mylogin.com, https://lh3.googleusercontent.com, https://www.loom.com, https://fonts.bunny.net, https://*.microsoftonline.com
  
  Before proceeding with the setup, add the app "MyLogin" as a trusted app on this page in the Google Admin Console to avoid connection issues in the first step of the setup wizard.

Complete the MyLogin setup wizard

Step by Step guide:

1. Navigate to school.wonde.com and log into your school's Wonde School Portal.
   
   
2. Mouse over the MyLogin tile and click Launch (click on the tile and approve the permissions for MyLogin to access the required data via Wonde first, if you haven't yet done so).
3. Create a password for your MyLogin admin account.
   
   
   
   
4. Confirm you want to use Wonde as the source of truth for user creation.
   
   
   
   
5. Your new MyLogin users will begin to import from your MIS via Wonde.
   
   
   
   
6. When your users finish importing, click Lets go! to move to the final stage of the setup wizard.
   
   
   
   
7. Select Connect with Google to connect MyLogin to your Google account. If you'd like to connect both Google and Microsoft, you will be able to add Microsoft in Settings once the setup wizard is complete.
   Note: Please make sure app.mylogin.com is allowed on your network.
   
   
   
   
8. You can select your user domain and the Organisational Units from which you'd like to make users available for matching.
   
   
   
9. Next, in order to facilitate the use of the Google Workspace tiles on the MyLogin dashboard ,enter the Entity ID and ACS URL contained in the SAML SSO profile that you've created in the Google Admin Console - this will be available on all standard SSO profiles once you've saved the profile by going back in to the profile in the main "SSO with third party IdP page". Note:- Make sure you are copying the correct items in to each box. There is validation in this step that will produce errors if you copy the incorrect link in to the boxes.
   
   If you have a "Legacy SSO profile" set up for MyLogin, you can utilise the format below to form the Entity ID and ACS URL.
   
   
   
10. Save settings, and then go to Manage connection and Sync users from Google.
    
    
    
11. After you have linked the Google Workspace from step 10 you will need to go inside MyLogin to Users > User matching and match the Google users to the Wonde data. You can filter the list along the top. We suggest filtering via "suggestion confidence" and then "strong". Look through the list to ensure all users match and then you can toggle the top left box to select all filtered users and select "accept suggestions for Microsoft". Do the same for Medium and Weak but please ensure that you carefully look through to make sure MyLogin is matching them correctly.
    
    
    
12. Once all users are matched you may wish to consider distributing the credentials out to users before proceeding to make MyLogin the IDP for the Google environment. To do this head to Users > Overview and you can use the filters to narrow down the list where you can toggle the top left box to select all the currently filtered users and then choose which credentials to download (Press the "download" button). This will provide you with a PDF which you can rename to suit. Repeat this for all groups as necessary. 

Set up your Google Workspace tenant for signing into Chromebooks using your MyLogin credentials

Step by Step guide:

1. Navigate to Security > Authentication > SSO with third-party IdP.
   
   
2. Click on Third-party SSO profile for your organisation at the top of the page.
   
   
3. For the Sign-in page URL enter https://app.mylogin.com/saml/login (in Australia use app-ap-southeast.mylogin.com/saml/login).
   Obtain your MyLogin Organisation ID from your MyLogin admin dashboard Settings page under Account, as in the screenshot below. Add your MyLogin Organisation ID to the end of the login URL e.g. https://app.mylogin.com/saml/login/A129183376
   
   
4. For the Sign-out page URL enter https://app.mylogin.com/logout 
   
   
   
   
5. Download our Identity Provider certificate from https://app.mylogin.com/downloads/cert.pem
   
   
6. Upload the certificate under Verification certificate.
   
   Note:
   You can set up MyLogin as an additional SSO profile rather than the main organisation third-party IdP SSO profile by clicking Add SAML profile under Third-party SSO profiles. You will need to include the entity ID, which will be https://app.mylogin.com/saml/metadata/ and you'll also need to apply the MyLogin organisation ID to the end of the URL which you can find by following step 5 above.
   
   You will also need to assign this SAML profile in Manage SSO profile assignments, to the organisational unit(s) for the devices on which you want to use MyLogin as the identity provider.
   
   
7. (Optional) You may wish to limit the effects of MyLogin to a specific sub-set of users. If you have set up an "SSO profile for your organisation" (as opposed to a "Third-party SSO profile"), you may still want that organisational profile to only be in effect for certain Organisational Units.
   If this is the case, then you will need to make sure that you use the Manage SSO profile assignments section of the "SSO with third-party IdP" page to designate the users in which organisational units are required not to use the SSO profile for your organisation and those that are. You can find more on this in the section at the bottom of this article.
   
   
8. At the bottom of the section, click Save.
   
   
9. Navigate to Devices > Chrome > Settings > Device Settings
   
   
10. Select the Organisational Unit you are using for your MyLogin-enabled Chromebooks on the left-hand side.
    
    
11. Under Single Sign-On IdP Redirection, set Redirect users to SAML SSO IdP to Allow users to go directly to SAML SSO IdP page.
    
    
12. Under Single Sign-On Cookie Behaviour, set the configuration to Enable transfer of SAML SSO Cookies into user session during sign-in.
    
13. Under Single Sign-On Camera Permissions, add https://app.mylogin.com AND https://app.eu-west.mylogin.com (If setting up in Australia use:- https://app.ap-southeast.mylogin.com AND https://app.mylogin.com) (coming soon) 
    
    
14. Under User data, select Erase all local user data.
    
    
15. Navigate to Devices > Chrome > Settings > Device settings > Privacy sign-in screen  set to Always disable the privacy screen on the sign-in screen.
    
    
16. At the bottom of the page, click Save.
    
    
17. Navigate to Devices > Chrome > Settings > User & browsers.
    
    
18. Select the organisational unit(s) for the users that you want to affect with the third-party IdP on the left of the page.
    
    
19. Under Security > Single sign-on, set SAML-based Single Sign-On for Chrome OS Devices to Enable SAML-based single sign-on for Chrome devices.
    
    
20. Search for Cookies; under Content, set Default Cookie Setting to Allow the user to decide OR Allow cookies.
    
    
21. At the bottom of the page, click Save.
    
    
    

Additional settings

The following steps can provide the best user experience, they are not mandatory for MyLogin's functionality.

1. Navigate to Chrome > Devices > Users and browsers.
   
   
2. Select the Organisational Unit containing the users who will be logging in with Chromebooks.
   
   
3. Under Security, set Lock Screen to Do not allow locking screen.
   
   
4. Under Idle Settings, set Action on idle to Logout, Action on lid close to Logout, and Lock screen on sleep to Lock screen.
   
   
5. If your school is using the MyLogin Dashboard. Under Pages to Load on Startup, enter https://app.mylogin.com. You can also enter your school specific login page, which can be obtained from the right-hand side of the MyLogin admin portal page: Settings >> Account
   If not using the MyLogin Dashboard, please do not alter this setting.
   
   
6. At the bottom of the section, click Save.

Setting up MyLogin as an identity provider for select organisational units

By following the steps below, users in the organisational units you choose to be affected by MyLogin as your Google identity provider will be required to log into Google Workspace with MyLogin credentials on ANY device.

1. In the Google Admin Console, navigate to Security > Authentication > SSO with third party IdP and scroll to the bottom of the page. Under Manage SSO profile assignments for organisational units or groups, click Get Started (or "Manage" if you have used this area before).
   
   
2. Select an Organisational Unit on the left-hand side of the page as marked in red below, and then select Organisation's third-party SSO profile on the right-hand side of the page. Alternatively, if you want the users in the Organisational Unit you have selected to use Google credentials to access Google Workspace, select None. 
   
   
   

(If you select Organisation's third-party SSO profile and you want to use MyLogin as the IdP for Google Workspace, then you need to ensure you've followed the steps earlier in this guide to select SAML SSO login as the form of authentication for the selected Organisational Unit).