Switching over from Wonde Single Sign-On to MyLogin? Click here.
Prerequisites

To configure MyLogin as an identity provider (IdP) for the Google Workspace the following prerequisites must be met:

• You must have Google Workspace setup and devices provisioned in an OU.
• Access to Google Workspace as a super admin.
• Finally, make sure that all of the following URLs have been added to any relevant allowlists:-
  https://app.mylogin.com, https://app.eu-west.mylogin.com and https://accounts.google.co.uk and if you have any difficulty that you suspect to be related to more stringent web-filtering or firewalls, then please additionally add all of the following:-
  https://*.fontawesome.com, https://*.cloudfront.net, https://*.cloudflare.com, https://ssl.gstatic.com, https://*.typekit.net, https://*.amazonaws.com, https://*.jquery.com, https://mylogin.com, https://lh3.googleusercontent.com, https://www.loom.com, https://fonts.bunny.net, https://*.microsoftonline.com
  
  Before proceeding with the setup, add the app "MyLogin" as a trusted app on this page in the Google Admin Console to avoid connection issues in the first step of the setup wizard.

Complete the MyLogin setup wizard

1. Follow the guide on initial MyLogin set up as outline here https://mylogin.zendesk.com/hc/en-gb/articles/17471337783069-Initial-set-up-of-MyLogin-for-schools-using-Wonde
2. You will also need to make sure that users are appropriately matched by following our matching guide
3. Once set-up is complete and all users are matched you may wish to consider distributing the credentials out to users before proceeding to make MyLogin the IDP for the Google environment. To do this head to Users > Overview and you can use the filters to narrow down the list where you can toggle the top left box to select all the currently filtered users and then choose which credentials to download (Press the "download" button). This will provide you with a PDF which you can rename to suit. Repeat this for all groups as necessary. Find more information here 
4. Once complete - return to this guide to complete your Google implementation

Set up your Google Workspace tenant for signing into Chromebooks using your MyLogin credentials

Step by Step guide:
 

1. Navigate to Security > Authentication > SSO with third-party IdP.
   
    
2. Click on Add SAML profile at the top of the page.
   
    
3. For the Sign-in page URL enter https://app.mylogin.com/saml/login
   Obtain your MyLogin Organisation ID from your MyLogin admin dashboard Settings page under Account, as in the screenshot below. Add your MyLogin Organisation ID to the end of the login URL e.g. https://app.mylogin.com/saml/login/A129183376
   
    
4. For the Sign-out page URL enter https://app.mylogin.com/logout 
   
   
   
    
5. Download our Identity Provider certificate from https://app.mylogin.com/downloads/cert.pem
    
6. Upload the certificate under Verification certificate.
   
   Note: 
   You can set up MyLogin as an additional SSO profile rather than the main organisation third-party IdP SSO profile by clicking Add SAML profile under Third-party SSO profiles. You will need to include the entity ID, which will be https://app.mylogin.com/saml/metadata/ and you'll also need to apply the MyLogin organisation ID to the end of the URL which you can find by following step 5 above. 
    
7. You will also need to assign this SAML profile in Manage SSO profile assignments, to the organisational unit(s) for the devices on which you want to use MyLogin as the identity provider.
   
    
8. (Optional) You may wish to limit the effects of MyLogin to a specific sub-set of users. If you have set up an "SSO profile for your organisation" (as opposed to a "Third-party SSO profile"), you may still want that organisational profile to only be in effect for certain Organisational Units. 
   If this is the case, then you will need to make sure that you use the Manage SSO profile assignments section of the "SSO with third-party IdP" page to designate the users in which organisational units are required not to use the SSO profile for your organisation and those that are. You can find more on this in the section at the bottom of this article.
    
9. At the bottom of the section, click Save.
    
10. Navigate to Devices > Chrome > Settings > Device Settings
     
11. Select the Organisational Unit you are using for your MyLogin-enabled Chromebooks on the left-hand side.
     
12. Under Single Sign-On IdP Redirection, set Redirect users to SAML SSO IdP to Allow users to go directly to SAML SSO IdP page.
     
13. Under Single Sign-On Cookie Behaviour, set the configuration to Enable transfer of SAML SSO Cookies into user session during sign-in.
     
14. Under Single Sign-On Camera Permissions, add https://app.mylogin.com (If setting up in Australia use:- https://app.ap-southeast.mylogin.com AND https://app.mylogin.com),(If setting up in South Africa use:- https://app.af-south.mylogin.com AND https://app.mylogin.com)
     
15. Under User data, select Erase all local user data. WARNING: This is a required setting when using a third-party IdP like MyLogin but it does mean that all local data will be erased on each session end. To avoid loss of data, please ensure all users are saving data to a cloud storage provider.
     

16. Navigate to Devices > Chrome > Settings > Device settings > Privacy sign-in screen  set to Always disable the privacy screen on the sign-in screen.

     

17. Next, navigate to Devices > Chrome > Settings > Device settings > Automatic online sign in/lock screen refresh and set the Time until online sign in/lock screen refreshes to "10". This will avoid SAML session timeouts, as these sessions typically last only 15 minutes.
     
18. At the bottom of the page, click Save.
     
19. Navigate to Devices > Chrome > Settings > User & browsers.
     
20. Select the organisational unit(s) for the users that you want to affect with the third-party IdP on the left of the page.
     
21. Under Security > Single sign-on, set SAML-based Single Sign-On for Chrome OS Devices to Enable SAML-based single sign-on for Chrome devices.
     
22. Search for Cookies; under Content, set Default Cookie Setting to Allow the user to decide OR Allow cookies.
     
23. Under Idle Settings, set AC idle action to Logout, Battery Idle to Logout, Action on lid close to Logout (or Sleep in 1:1 student:device scenarios), and Lock screen on sleep or lid close to Don't lock screen 
     
24. Lastly, in order to facilitate the use of the Google Workspace tiles on the MyLogin dashboard, enter the Entity ID and ACS URL contained in the SAML SSO profile that you've created in the Google Admin Console - this will be available on all standard SSO profiles once you've saved the profile by going back in to the profile in the main "SSO with third party IdP page". Note:- Make sure you are copying the correct items in to each box. There is validation in this step that will produce errors if you copy the incorrect link in to the boxes.
    
    If you have a "Legacy SSO profile" set up for MyLogin, you can utilise the format below to form the Entity ID and ACS URL.
    
    
    
     

Additional settings

The following steps can provide the best user experience, they are not mandatory for MyLogin's functionality.

1. Navigate to Chrome > Devices > User and browsers settings
2. Additionally, to avoid presenting users with a native Chromebook sign-in, set Sign-in screen (in Device settings) to Always show usernames and photos.
3. Select the Organisational Unit containing the users who will be logging in with Chromebooks.
    
4. If your school is using the MyLogin Dashboard. Under Pages to Load on Startup, enter https://app.mylogin.com. You can also enter your school specific login page, which can be obtained from the right-hand side of the MyLogin admin portal page: Settings >> Account
   If not using the MyLogin Dashboard, please do not alter this setting.
    
5. At the bottom of the page, click Save.
6. You may also find that you are reaching a "Control your data" screen upon authenticating a Chromebook with MyLogin. This scree is prompted by Android apps that install upon device startup and authentication that are attempt to utilise location data.
   To negate this, navigate again to Chrome > Devices > User and browser settings and Select the Organisational Unit containing the users who will be logging in with Chromebooks.
    
7. In the Geolocation setting, select Do not allow sites to detect users' geolocation
8. At the bottom of the page, click Save.
9. Next, navigate to Chrome > Devices > Device settings
10.  In the Time zone setting, select your local timezone under System time zone and under System time zone automatic detection select Always send Wi-Fi access points to the server while resolving the time zone
     
11. At the bottom of the page, click Save. This will conclude the resolution to the "Control your data" screen that breaks the user's login flow.

 Setting up MyLogin as an identity provider for select organisational units

By following the steps below, users in the organisational units you choose to be affected by MyLogin as your Google identity provider will be required to log into Google Workspace with MyLogin credentials on ANY device.

1. In the Google Admin Console, navigate to Security > Authentication > SSO with third party IdP and scroll to the bottom of the page. Under Manage SSO profile assignments for organisational units or groups, click Get Started (or "Manage" if you have used this area before).
   
    
2. Select an Organisational Unit on the left-hand side of the page as marked in red below, and then select Organisation's third-party SSO profile on the right-hand side of the page. Alternatively, if you want the users in the Organisational Unit you have selected to use Google credentials to access Google Workspace, select None. 
   
   
    

(If you select Organisation's third-party SSO profile and you want to use MyLogin as the IdP for Google Workspace, then you need to ensure you've followed the steps earlier in this guide to select SAML SSO login as the form of authentication for the selected Organisational Unit).