# Google SSO Setup This guide covers setting up Single Sign-On (SSO) with Google Workspace as your identity provider for Welkin Health. Once configured, your care team members can log in to Welkin using their Google Workspace accounts. ## Prerequisites * Google Workspace account with Admin console access * Welkin Admin portal access * Welkin user accounts already created for each team member (with emails matching their Google Workspace email) ## Step 1: Get Welkin SP metadata 1. Log in to the Welkin Admin portal 2. Navigate to **Settings → Single Sign-On (SSO)** 3. Note the following values: * **Entity ID (Audience URI)** * **ACS URL (Assertion Consumer Service URL)** ## Step 2: Create a SAML app in Google Workspace 1. Log in to the [Google Admin console](https://admin.google.com) 2. Navigate to **Apps → Web and mobile apps** 3. Click **Add app → Add custom SAML app** 4. Enter the app name: **Welkin Health** 5. Click **Continue** 6. On the **Google Identity Provider details** page, download the IdP metadata or copy: * **SSO URL** * **Entity ID** * **Certificate** (download the certificate) 7. Click **Continue** ## Step 3: Configure service provider details On the **Service provider details** page: | Field | Value | | --------------- | -------------------------------------- | | ACS URL | Paste the Welkin ACS URL from step 1 | | Entity ID | Paste the Welkin Entity ID from step 1 | | Start URL | `https://app.welkinhealth.com` | | Signed response | Check this box | | Name ID format | EMAIL | | Name ID | Basic Information → Primary email | Click **Continue**. ## Step 4: Configure attribute mapping On the **Attribute mapping** page, add the following mappings: | Google Directory attribute | App attribute | | -------------------------- | ------------- | | Primary email | `email` | | First name | `firstName` | | Last name | `lastName` | Click **Finish**. ## Step 5: Assign users to the app By default, the SAML app is disabled for all users. To enable: 1. In the Google Admin console, find the Welkin Health app under **Web and mobile apps** 2. Click **User access** 3. Select the organizational unit or groups that should have access (typically all staff) 4. Set the status to **ON** 5. Click **Save** ## Step 6: Configure SSO in Welkin Admin 1. Return to **Settings → Single Sign-On** in the Welkin Admin portal 2. Enter: * **IdP Entity ID** – from Google's Identity Provider details * **SSO URL** – from Google's Identity Provider details * **IdP Certificate** – paste the certificate downloaded from Google 3. Click **Save** ## Step 7: Test and go live 1. Click **Test SSO** in Welkin Admin 2. You will be redirected to Google's login page 3. Sign in with a Google Workspace account assigned to the app 4. Confirm you are returned to Welkin and logged in 5. Once confirmed, optionally enable **Force SSO** to require all users to log in via Google ## Tips * Users must log in with the same email address in both Google Workspace and Welkin. If a user's email changes, update it in both systems. * If a user is removed from Google Workspace, their access to Welkin via Google SSO is immediately blocked. However, if they have a Welkin password, they can still log in unless **Force SSO** is enabled. * For provisioning new users automatically, see [User Provisioning: API](https://github.com/welkincloud-io/welkin-docs/blob/master/kb/admin/user-provisioning-api.md). --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.welkinhealth.com/integrations/single-sign-on/google-sso-setup.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.