Auxot supports SAML 2.0 single sign-on with Google Workspace (and other IdPs). Users sign in through Google; Auxot creates or updates their account on each login and maps Google groups to Auxot teams and org admin access.

This guide walks through Google Workspace as an example. The same Auxot steps apply to Okta, Microsoft Entra ID, and other SAML IdPs — only the Google Admin Console screens differ.

Before You Start

You need:

• A Business tier or higher Auxot license (SSO is included on Business and above)
• Org admin access in Auxot (to configure SAML under Settings → SAML SSO)
• Google Workspace super admin access (or an admin who can add custom SAML apps)
• An HTTPS URL that reaches your Auxot server (see Local testing with HTTPS below)

Auxot does not require AUXOT_BASE_URL for SAML. SP metadata URLs are derived from the hostname you use in the browser (the same way invite links work).

How the flow works

1. You give Google your SP metadata URL from Auxot (Entity ID + ACS URL).
2. Google gives you IdP metadata XML to paste into Auxot.
3. You map Google groups to Auxot teams in Auxot settings.
4. Users sign in at {your-auxot-url}/api/saml/login (or from the Google app launcher if configured).

Once IdP metadata is saved, password login is disabled for regular users. Org admins keep password access as a break-glass path for SAML configuration and recovery.

Part 1: Get SP details from Auxot

1. Sign in to Auxot as an org admin.
2. Open Settings → SAML SSO.
3. Open the SP metadata URL in a new tab (e.g. https://auxot.example.com/api/saml/metadata).
4. From the XML, note:
   • Entity ID — the entityID="..." on the root element (usually the metadata URL itself)
   • ACS URL — the Location="..." on the AssertionConsumerService with HTTP-POST binding (ends in /api/saml/acs)

Keep this tab open — you will paste these values into Google.

Part 2: Create the SAML app in Google

1. Open Google Admin Console

Go to admin.google.com → Apps → Web and mobile apps → Add app → Add custom SAML app.

2. Name the app

App name: Auxot → Continue.

3. Download IdP metadata

On Google Identity Provider details, click Download metadata and save the XML file. You will paste this into Auxot later.

Click Continue.

4. Service provider details

Google requires HTTPS for the ACS URL.

Replace your-auxot-host with your real public hostname (not localhost unless you are using an HTTPS tunnel — see below).

Click Continue.

5. Attribute mapping

Click ADD MAPPING for each row below. The App attributes column is the exact string Auxot will read from the SAML assertion.

Auxot recognises common aliases automatically so you don’t need long WS-Federation URIs. The following all work: email / emailAddress / mail; first / firstName / first_name / givenName; last / lastName / last_name / surname.

6. Group membership (optional but recommended)

If you want Google groups to drive Auxot team access and org admin:

1. Under Group membership, search for and add each Google group that should grant access (e.g. engineering@yourcompany.com).
2. Set App attribute to: groups

Google sends group email addresses (not display names). Use those same email strings when mapping groups in Auxot.

Click Finish.

7. Turn the app on for users

Back on Web and mobile apps, open Auxot → User access → ON for everyone (or limit to an organizational unit) → Save.

Part 3: Finish configuration in Auxot

1. Open Settings → SAML SSO.
2. Paste the full IdP metadata XML from Google into IdP metadata XML.
3. Under Group → team access, add one row per Google group:
   • IdP group — the Google group email (e.g. engineering@yourcompany.com)
   • Team — the Auxot team to grant
   • Access — Team member or Team admin
4. Under Org admin groups, add Google group emails that should receive org admin in Auxot (optional).
5. Click Save SAML settings.

On each SAML login, Auxot syncs team membership and org admin from the groups in the assertion. Groups removed at Google are removed on the user’s next login.

Part 4: Test sign-in

Open a private/incognito window and visit:

https://your-auxot-host/api/saml/login

You should be redirected to Google, then back into Auxot signed in.

If you see “SSO configuration error: your account has no team access”, the user is not in any Google group that maps to an Auxot team. Add a group mapping or add them to a mapped Google group.

Local testing with HTTPS

Google Workspace does not accept http:// ACS URLs — including http://auxot.localhost:8080. Local SAML testing requires an HTTPS URL your browser can reach.

Option A — HTTPS tunnel (quickest for dev):

# cloudflared (no account required for quick tunnels)
cloudflared tunnel --url http://localhost:8080

# or ngrok
ngrok http 8080

Use the tunnel’s https://… hostname in Google and when opening Auxot in the browser. Reload /api/saml/metadata through the tunnel URL so Entity ID and ACS URL match.

Option B — staging server with a real TLS certificate and DNS name.

Google POSTs the SAML response to the ACS URL from the user’s browser, not from Google’s servers. The tunnel only needs to reach your machine — it does not need a fixed domain unless you want one.

Google app launcher (optional)

If you configured a Start URL, users can open Auxot from the Google Workspace app grid. Leave Start URL blank if you only use the Auxot login link or bookmark {your-auxot-url}/api/saml/login.

Troubleshooting

Related

• Licensing — Business tier and above includes SSO
• Security — authentication and encryption overview