š§© Overview
Google SSO allows schools to authenticate users through Google Workspace instead of separate Orah passwords.
Once configured:
Users can log in to Orah using their Google account
Password management stays centralized in Google Workspace
Schools can simplify onboarding and account management
Access can be controlled through Google Organizational Units (OUs)
This integration uses SAML (Security Assertion Markup Language).
š§ Before you begin
Make sure you have:
Administrator access to the Google Admin Console
Access to Orah Admin Console
Permission to manage authentication settings in both platforms
š§ Step 1: Create a SAML SSO profile in Orah
Log in to Orah as an administrator
Navigate to Admin Console ā Authentication
Click Create New Profile
Select SAML in the Type dropdown
ā
Select which users should use this SSO profile
Copy the following values:
SP Entity ID
SP Login URL
Keep this page open for later steps.
ā ļø Youāll need these values when configuring Google Workspace.
š§ Step 2: Configure the SAML app in Google Workspace
Log in to the Google Admin Console
Navigate to:
āApps ā Web and mobile appsClick:
āAdd app ā Add custom SAML app
ā
Enter:
App name (for example: Orah)
Optional description
Optional Orah logo
ā
On the Google Identity Provider details page, copy:
SSO URL
Certificate (download or copy the certificate)
ā ļø Youāll use these values in Orah later.
š§ Step 3: Configure Service Provider details in Google
On the Service provider details page:
Google Field | Orah Value |
Entity ID | SP Entity ID |
ACS URL | SP Login URL |
Enable:
Signed response
Set:
Name ID format = Persistent
Complete the setup wizard.
š§ Step 4: Enable user access in Google
By default, the SAML app is turned OFF for users.
Open the newly created Orah SAML app
Turn access ON
Apply access to:
specific users, or
Organizational Units (OUs)
ā ļø Users will not be able to log in until access is enabled.
š§ Step 5: Complete the setup in Orah
Return to the Orah Authentication page
Paste the Google SSO URL into:
āIdP Login URLPaste the Google Certificate into:
āIdP Public Certificate
ā
Select the applicable user types
Click Save
ā
š§ Step 6: Test the SSO connection
In Orah, click Test Run next to the Authentication profile
Youāll be redirected to the Google login page
Sign in with your Google Workspace account
After authentication, youāll be redirected back to Orah
If configured correctly, youāll see a success message confirming the connection works.
ā
š” Important note about Google Name ID support
Orah supports Identity Provider initiated login, which can automatically update a userās login email address if it changes in the Identity Provider.
This requires the Identity Provider to send a:
unique
persistent
stable Name ID
ā ļø From current testing, Google Workspace SAML does not reliably support this behavior.
As a result:
if a userās email address changes in Google,
administrators may need to manually update the userās login email in Orah.
ā FAQs
Can users still log in with Orah passwords?
That depends on your Authentication profile configuration and enforcement settings.
Why canāt users access the Orah app in Google?
The SAML app may still be OFF for their Organizational Unit or user group.
What happens if the Google certificate expires?
Users may be unable to authenticate. Update the certificate in Orah after rotating it in Google.
Can I limit SSO to certain users?
Yes. You can:
assign the SSO profile to specific user types in Orah
restrict access through Google Organizational Units
š§ Troubleshooting
Authentication fails
Verify the SSO URL is correct
Confirm the certificate was copied fully
Ensure there are no extra spaces or missing characters
Redirect / ACS URL mismatch
Ensure the ACS URL in Google exactly matches the:
āOrah SP Login URL
Users receive ānot authorizedā errors
Confirm the Google SAML app is enabled
Check the userās Organizational Unit access
ā
Changes are not working immediately
Google Workspace changes can take a few minutes to propagate.
Wait a few minutes and test again.
š Additional Resources