Our integration with Google Workspace allows your team to log in to Leapsome with their Google Account - without setting up a new password. With Google Workspace, you have two options to simplify the login process for your team: 'Sign in with Google (OAuth2)' and 'Single Sign-On (SAML)'. In the following, we will explain the two options and the respective setup procedures.
General requirements
To use the option to log in to Leapsome with Google Workspace, please make sure that you meet the following requirements:
- You have set up a Leapsome Account for all relevant colleagues.
- The Google Workspace email address matches the email of the Leapsome Account.
Setting up 'Sign in with Google' (OAuth2)
The option to sign in with Google does not require a setup on your end and can be used as soon as the user's Leapsome Account has been created. On the Leapsome login page, just select 'Sign In with Google' to log in. You may be asked to enter your Google Workspace password for the first login within a popup window. This is the easiest and fastest procedure to enable your team to log in to Leapsome with their Google Account.
Please note, that this button continues to show, even if SAML SSO (e.g. via another provider, like Entra ID or Okta) is enabled. To remove the button, SAML SSO needs to be enforced.
Setting up SSO with Google Workspace (SAML)
You also have the option to set up SAML-based SSO for Leapsome using Google Workspace. This option is especially interesting if you want to use Google Workspace as your Identity Provider. To set this up, please follow the steps in this article by Google.
During the setup in Google Workspace, please add the following information from Leapsome - you can find this data by visiting 'Settings' > 'Integrations and imports' > 'Single Sign On (SSO)':
- ACS URL: The "Reply URL" (ending with /assert) provided in your Leapsome's SSO settings
- Entity ID: https://www.leapsome.com
On Leapsome side, please paste the 'SAML2_0' certificate you generated in Google workspace into the 'Certificate' field, as well as the 'SSO URL' from Google Workspace into the 'SSO Login URL' in Leapsome. Do not use the 'Entity ID' from Google Workspace.
Please note, that users will still be able to use the 'Sign In with Google' (oAuth2) option, even when SAML-based SSO is activated, but not enforced.
Once set up, your users will need to enter their email address on the Leapsome login page. Then, instead of providing a password, a 'Sign in with Company SSO' button should appear. By clicking this button, your users now can log in to Leapsome without setting up a separate password.
Additional customization
Enforce SSO
By default, users will always have the option to sign in with email and their Leapspome password, even if SSO is enabled. If you want to make sure that all users log in via the SSO flow, please navigate to SSO settings in Leapsome, tick the box 'Enforce SSO' and confirm by clicking 'Update SSO Settings'.
Like that, all users within your account can only log in to Leapsome by using SSO. Please make sure that you set up SSO correctly for all users in your organization, as they otherwise won't be able to access Leapsome.
All newly invited users will not see an option to create a password when they sign in for the first time while SSO is enforced.
Logging in without receiving an invitation
By default, users can only log in to Leapsome once they received an invitation to the platform. To reduce the workload on your end when onboarding users to Leapsome, you have a few options to make the invitation and signup process as smooth as possible.
1. Automate the invitation process using one of our HRIS integrations
If you are using an HRIS for provisioning users to Leapsome, you have the option to automatically send invitations to newly provisioned users. Like that, they will be able to use SSO from the get-go, if you have enforced SSO.
2. Enable just-in-time-provisioning for your IDP
Some IDPs like Azure AD offer just-in-time provisioning for your user base. Like that, user profiles will be created immediately once a user from your organization tries to login to Leapsome. When JIT provisioning is enabled, it is not necessary to invite your users for them to be able to log in to Leapsome. Please note that JIT provisioning cannot be used, if you are also using an HRIS integration. Please reach out to Leapsome support to allow JIT for your account. Please note that JIT can only be enabled for one domain.
Leapsome also recognizes the attributes
- firstname (the employee's given name)
- lastname (the employee's last name)
- title (the job title of the employee)
- picture (an URL to the employee's picture)
in the namespace http://schemas.xmlsoap.org/ws/2005/05/identity/claims/. Using these will allow you to point your employees directly to the login URL and prepopulate relevant information when they sign in for the first time.
3. Reach out to us
If you fully want to avoid sending invitations, our Support team can switch off invitations for your account in the backend. Like that, you can enable an automatic sendout of invitations, without actually sending any notification or emails to the team. Please note that this is only possible, if all of your users use the same email-domain. If you want to learn more about this, contact our Support team from the 'Help' button in Leapsome.
FAQs and Known Issues
As Leapsome does not support email aliases, please make sure that the email address in the Leapsome user account matches the primary email address in Google Workspace.
If you are receiving an error 404 when trying to log in via SAML SSO, please ensure that you pasted the 'SSO URL', and not the 'Entity ID' from Google Workspace to the 'SSO Login URL' field in Leapsome. They look very similar, but only using the 'SSO URL' will result in a working SSO flow.