/
PBX GUI - Google SSO Setup for FreePBX/PBXact

PBX GUI - Google SSO Setup for FreePBX/PBXact

Table of Contents

Please find steps below to setup SAML Single Sign-On with Google.

Step-1 : Configure the Application in Google

  1. Log in to the Google Workspace Admin Console

  2. Navigate to Apps > Web and mobile apps from the sidebar.

  3. Create a Custom SAML App
    Click Add App > Add custom SAML app.

    Google Workspace Admin Console displayed with red boxes around Web and Mobile apps menu and around the Add custom SAML app dropdown.

  4. Enter an application name (e.g., Admin Panel, User Control Panel, or Sangoma Client Desktop) and optionally upload an app icon.

  5. Click Continue to proceed.

    image-20250925-115422.png

  6. Obtain Google IdP Information

  7. In the next screen, Google Workspace displays the IdP information required by your service provider:

    • SSO URL

    • Entity ID

    • Download the X.509 certificate

      image-20250925-120504.png

    • Copy or download these values as they will be needed in your service provider (SP) or PBX configuration.

  8. Click Continue.

  9. Configure Service Provider Details
    Enter the ACS URL (Assertion Consumer Service URL) and the Entity ID from your service provider into Google Admin:

    • ACS URL: The SP's URL where Google should send the SAML response.
      Below are the URL formats that need to be added as Reply URLs.

      • Admin panel - https://<your_pbx_ip_or_domain>/admin/ajax.php?module=pbxsaml&command=checkSAMLAdmin

      • User control panel - https://<your_pbx_ip_or_domain>/admin/ajax.php?module=pbxsaml&command=checkSAMLUCP

      • Sangoma Client Desktop - https://<your_pbx_ip_or_domain>/admin/ajax.php?module=pbxsaml&command=checkSAMLSCD

    • Entity ID: The SP's unique identifier.

  10. Click Continue after entering these details.

    image-20250925-121359.png

  11. Attribute Mapping (Optional)

    • Configure attribute statements to map Google directory attributes to the service provider’s expected SAML attributes (for example, Primary email, first name, last name).

    • Click Finish to save the configuration.

  12. Assign Users to the App

    • After app creation, select User access.

    • Enable access for all users or specific groups/users according to your organization's policy.

      Save the assignment settings.

      image-20250925-122022.png

If your PBX web interface is configured to use a non-standard HTTPS port, you must include that port number in each ACS URL

Step-2 : Retrieve and Apply Google SAML Details to PBX

There are two ways to retrieve and use the SAML configuration values for your integration with Google:

  1. Download the metadata file from Google and upload it into PBX. The metadata file is in XML format and contains all necessary SAML settings (like SSO URL, Entity ID, and certificates). PBX can automatically parse this file and populate the needed configuration fields, making the setup easier and reducing room for manual errors.

  2. Manually copy the required fields from Google, such as the Identity Provider Single Sign-On URL, Issuer/Entity ID, and X.509 certificate, which you obtained in the previous steps, and enter them into PBX. This approach may be necessary if PBX does not support uploading metadata files or if you prefer more control over the specific details being entered.

Google does not support adding multiple Assertion Consumer Service (ACS) URLs within a single SAML application. Therefore, separate applications need to be created in Google for each of the following: Admin Control Panel (ACP), User Control Panel (UCP), and Sangoma Client Desktop. For each application, follow the same steps to create and configure the SAML app, ensuring that you use distinct and appropriate names and specify the correct ACS URL for each respective application.