enterprise plans
Builder supports the industry standards, Security Assertion Markup Language (SAML) and OpenId Connect (OIDC). This means that single sign-on (SSO) integrates with any identify providers that support either.
This document covers how to integrate Google Workspace with SAML.
While we enable SSO for your Organization, you can start setting up the SAML App in Google Admin. For more detailed instructions, follow the Google guide, Set up your own custom SAML application: Using SAML-based SSO.
1. Navigate to your Google Admin account and visit your Apps page.
2. Click on SAML Apps.
3. Click the plus, +, icon or link to create a new app, then select the option at the bottom for Setup my own custom app.
4. Save your SSO URL, Entity Id, and download your certificate, then click Next.
5. In the form that opens, enter the name of the App (such as, builder-io), a description (such as, Drag-and-drop Visual CMS”).
6. Add the Builder logo. Click the image below to open the logo in a new tab if needed.
7. On the next screen, enter the Builder SAML information:
- ACS URL:
https://builder.io/__/auth/handler - Entity ID:
https://builder.io
8. Save service.
9. After you create the SAML app, make sure you turn it on for all users or the group of users you would like to enable access for.
With SSO enabled on your Builder account and an app, you can add your SSO details:
- Go back to your Builder Organization Settings.
- Enter the SAML information from your Google account above (SSO URL, Entity Id, and the certificate you downloaded).
- When choosing an SSO Name be aware that this is a unique name across all organizations in Builder, and it will be used to access your unique SSO login page; for example,
https://builder.io/login/company-name. Choose something that is easy to bookmark or remember for you and your colleagues.
By default, usernames are not mapped between Builder and identity providers. However, administrators can establish this connection by mapping a specific name field from the identity provider to the name attribute in Builder's profile settings. This configuration ensures that the username is properly set upon user login with SSO.
To map usernames between Builder and Google Workspace, you'll need to go to Google Workspace to update your profile mappings.
OpenID Connect (OIDC) builds on OAuth 2.0 so applications can authenticate users and retrieve their basic information in a standardized way. OAuth 2.0 supports different authorization strategies, including:
- Implicit flow: for browser-based apps. It is less favored as it can expose tokens to the browser.
- Authorization Code Flow: is preferred for its security, suitable for apps that can manage a Client Secret without exposing it, as it conducts token exchanges away from the user's browser. The Client Secret acts as a password between the app and the authorization server to safely exchange an authorization code for an access token.
When setting up OIDC for SSO in Builder.io, you have the option to include a client secret in your Builder SSO configuration, which indicates that you want to use the code flow. If you don't include a client secret, Builder defaults to using the implicit flow.
To add your IdP's Client Secret to your Builder SSO configuration:
- In Google Workspace: Get your Client Secret from Google Workspace. Refer to their docs for creating access credentials.
- In Builder: Go to Builder's Organization Settings.
- Click the Edit button for Single Sign-On. Note that you must have SSO enabled for your Organization before this option is available in your Organization Settings.
- For the SSO Method, make sure you've selected OpenID Connect.
- Paste the Client Secret in the Client Secret field.
- Click the Save button.
Due to recent browser updates, if you previously used the Firebase URL, you must update your authentication domain for SSO to ensure compatibility and security.
To accommodate these changes while maintaining existing SSO configurations:
- Update the ACS URL: Replace the previous redirect URL of
https://builder-3b0a2.firebaseapp.com/__/auth/handlerwith the new domainhttps://builder.io/__/auth/handler. This applies to both SAML and OIDC configurations and must be updated in the Identity Provider (IdP) settings. - Update the login URL: Append the query parameter
authDomain=newto the login URL. For example, a bookmarked login URL would be formatted ashttps://builder.io/login/saml/builder?authDomain=new. Including this parameter ensures compatibility with the new custom domain. Omitting it may lead to incompatibility issues, affecting SSO functionality with recent versions of browsers such as Firefox and Safari.
For IdP-initiated logins, the login URL provided by the IdP must also include the authDomain=new parameter for seamless integration.
