Single Sign-On (SSO) with Google Workspace
Single Sign-On (SSO) is available as a paid add-on for TUNE accounts. To inquire about enabling this feature, please contact your Customer Success Manager, Sales Representative, or our support team at support@tune.com.
Follow this step-by-step guide to enable secure access to TUNE using Google Workspace credentials
Setup Overview
This configuration process has 7 main steps and takes approximately 15-20 minutes to complete. Once completed, your users will log in through Google instead of maintaining a separate TUNE password.
You'll be working in two systems:
- Google Workspace Admin Console (Steps 1-5)
- TUNE Platform (Step 6)
- Testing (Step 7)
Table of Contents
- What is Single Sign-On (SSO)?
- Before You Begin - Prerequisites
- Configuration Steps:
- Step 1: Create a Custom SAML App in Google Workspace
- Step 2: Copy Google's Identity Provider Details
- Step 3: Configure Service Provider Details
- Step 4: Set Up Attribute Mapping
- Step 5: Enable the SAML App for Users
- Step 6: Configure SSO in TUNE
- Step 7: Test Your SSO Configuration
- Managing SSO for Individual Users (Optional)
- Troubleshooting Common Issues
- Need Help?
What is Single Sign-On (SSO)?
Single Sign-On (SSO) lets your users access TUNE with their existing Google Workspace credentials.
Benefits
- ✓ Log in to TUNE using Google Workspace credentials
- ✓ No need to remember separate passwords
- ✓ Automatically enforces your organization's security policies (like 2-step verification)
- ✓ Centralized user management through Google Workspace
How it works
Google performs the authentication and confirms the user's identity. TUNE trusts this confirmation and grants access to your platform.
Before You Begin - Prerequisites
Required Before Starting:
| Requirement | Why It's Needed |
|---|---|
| Administrator access to Google Workspace | You need permissions to create and configure SAML apps |
| Administrator access to TUNE | You need permissions to configure SSO settings in TUNE |
| All users already exist in TUNE | Users must have TUNE accounts before SSO can authenticate them |
| Matching email addresses | Email addresses in Google Workspace must EXACTLY match email addresses in TUNE |
Google Workspace Configuration (Steps 1-5)
Create a Custom SAML App in Google Workspace
What you'll do: Create a new SAML application in Google Workspace that represents TUNE.
Follow these steps:
- Sign in to the Google Admin Console at
admin.google.com - Navigate to: Apps → Web and mobile apps
- Click the Add App button
-
Select Add custom SAML app from the dropdown menu
- Enter the following information:
| Field | What to Enter |
|---|---|
| App Name |
TUNE (or your preferred name) |
| Description | Optional: e.g., "TUNE Affiliate Marketing Platform" |
| App Icon | Optional: Upload a logo if desired |
Copy Google's Identity Provider Details
Copy these three values:
| Value to Copy | What It Looks Like | Where You'll Use It |
|---|---|---|
| SSO URL | https://accounts.google.com/o/saml2/idp?idpid=... |
TUNE → SAML SSO Sign-in URL |
| Entity ID | https://accounts.google.com/o/saml2?idpid=... |
TUNE → SAML IdP Entity ID |
| Certificate | Starts with -----BEGIN CERTIFICATE-----
|
TUNE → SAML IdP Certificate (PEM) |
- Click DOWNLOAD CERTIFICATE to save the X.509 certificate file, OR copy the certificate text directly
- Copy the SSO URL and save it in a text document
- Copy the Entity ID and save it in the same text document.
- Click Continue to proceed to the next screen
Security Note: The X.509 certificate is a public certificate used to verify that login responses genuinely come from Google. It does NOT expose passwords or sensitive credentials.
Important: Keep these values handy! You'll paste them into TUNE in Step 6.
Configure Service Provider Details
Enter the following values:
| Field Name | Value to Enter |
|---|---|
| ACS URL | https://YOUR-DOMAIN/saml/acs |
| Entity ID | https://YOUR-DOMAIN |
| Name ID format | Select EMAIL from dropdown |
| Name ID | Select Basic Information > Primary Email |
- Scroll down to Signed Response and check the box to enable it
- Check the box to enable Signed Assertion as well
How to Fill in the YOUR-DOMAIN Section
Replace YOUR-DOMAIN With your actual TUNE domain:
| Scenario | ACS URL Example | Entity ID Example |
|---|---|---|
| Standard TUNE domain | https://acme-network.hasoffers.com/saml/acs |
https://acme-network.hasoffers.com |
| Custom domain | https://affiliate.acme.com/saml/acs |
https://affiliate.acme.com |
https:// (not http://). SAML requires secure, encrypted endpoints.Set Up Attribute Mapping
What you'll do: Configure which user information Google sends to TUNE during login.
Map the email attribute
- Under Google Directory attributes, select Primary Email from the first dropdown
- Under App attributes, type
emailin the text field - Click Finish
| Google Directory Field | App Attribute |
|---|---|
| Primary Email | email |
Enable the SAML App for Users
Enable user access:
- Find your newly created TUNE app in the list and click on it
- Click on User access in the left sidebar
- Click Save
Choose one of these options:
- Recommended for testing: Select specific organizational units or groups
- For production: Select ON for everyone
PART 2: TUNE Platform Configuration
Configuring SSO in TUNE
Access TUNE SSO Settings
- Log in to TUNE as an Administrator
- Navigate to Company → Customize Application → Single Sign-On
Enter the Identity Provider Details
Paste the three values you copied from Google in Step 2:
| TUNE Field Name | Paste the Value From Google |
|---|---|
| SAML IdP Entity ID | Paste the Entity ID from Step 2 |
| SAML SSO Sign-in URL | Paste the SSO URL from Step 2 |
| SAML IdP Certificate (PEM) | Paste the Certificate from Step 2 |
- Paste the Entity ID into the SAML IdP Entity ID field
- Paste the SSO URL into the SAML SSO Sign-in URL field
- Paste the Certificate into the SAML IdP Certificate (PEM) field
- Click Save to apply your SSO configuration
Certificate Format Requirements:
The certificate must include the BEGIN and END lines:
-----BEGIN CERTIFICATE----- MIIDdDCCAlygAwIBAgIGAXqZ... (certificate data) -----END CERTIFICATE-----
PART 3: Testing your Configuration
Perform a test login:
- Open a private/incognito browser window: For Chrome: Ctrl+Shift+N (Windows) or Cmd+Shift+N (Mac). For Firefox: Ctrl+Shift+P (Windows) or Cmd+Shift+P (Mac)
- Navigate to your TUNE login page (e.g.,
https://your-domain.hasoffers.com) - Enter your email address in the login field
- Click the login button
Expected Behavior
- You should be redirected to Google for authentication
- You'll see the Google sign-in page
- After signing in with your Google credentials, you should be redirected back to TUNE
- You should be automatically logged into TUNE without entering a TUNE password
If the test login worked, congratulations! Your SSO configuration is complete. Users can now log in to TUNE using their Google Workspace credentials.
Managing SSO for Individual Users (Optional)
By default, once SSO is enabled, all employees will use Google Workspace to log in. However, you can disable SSO for specific users if needed.
When Would You Disable SSO for a User?
Common Use Cases:
- Testing SSO configuration with specific accounts before organization-wide rollout
- Providing access to contractors who don't have Google Workspace accounts
- Troubleshooting login issues for individual users
- Maintaining emergency administrator access during SSO provider outages
How to Disable SSO for a Specific Employee
- In TUNE, navigate to the Employee page
- Find and click on the employee you wish to update
- Click Edit under the Settings section
- Locate the Single Sign-On setting
- Change the setting to Disabled
- Click Save
What happens next:
- The user will log in directly with their TUNE email and password
- The SSO redirect will be skipped for that user only
- Other users are not affected by this change
- You can re-enable SSO at any time by changing the setting back to "Enabled"
Troubleshooting Common Issues
Issue: Login Redirect Loop
Symptom: User keeps being redirected between Google and TUNE without successfully logging in.
Possible Solutions:
- Verify the ACS URL is correct and begins with
https://(not http://) - Check that the Entity ID exactly matches your TUNE domain
- Ensure cookies are enabled in the browser
- Clear browser cache and cookies, then try again in a new incognito window
- Verify that "Signed Response" and "Signed Assertion" are both enabled in Google
Issue: "User Not Found" Error
Symptom: Error message stating the user doesn't exist in TUNE.
Possible Solutions:
- Verify the user account exists in TUNE
- Check that the email address in Google Workspace exactly matches the email in TUNE (including capitalization)
- Confirm the user account is active (not deleted or suspended) in TUNE
- Verify the attribute mapping in Google is set to "Primary Email" → "email"
Issue: "Invalid Signature" Error
Symptom: SAML response signature validation fails.
Possible Solutions:
- Verify the X.509 certificate was copied completely (including the BEGIN and END lines)
- Check for extra spaces or line breaks in the certificate
- Ensure the certificate hasn't expired (download a fresh certificate from Google)
- Confirm both "Signed Response" and "Signed Assertion" are enabled in Google Workspace
- Re-copy and re-paste the certificate to ensure no formatting issues
Issue: SSO Not Working for Some Users
Symptom: SSO works for some users but not others.
Possible Solutions:
- Check that the affected users are in the enabled organizational unit in Google Workspace
- Verify that affected users have the same email in both Google and TUNE
- Check if SSO is disabled for specific users in their TUNE employee settings
- Ensure affected users exist in TUNE and have active accounts
Security & Compliance Notes
Security Information
- All SAML responses from Google are cryptographically signed and verified
- TUNE never sees or stores your Google passwords
- Certificates can be rotated at any time for enhanced security
- SSO does not modify user roles or permissions inside TUNE
- 2-step verification and other Google security policies are enforced automatically
Security Best Practices - Do Not:
- Share SSO configuration details publicly or with unauthorized individuals
- Send certificates over unsecured email
- Upload screenshots showing real production URLs without masking sensitive data
- Use the same SAML app for multiple environments (use separate apps for staging/production)
Need Help?
Contact Support
If you need assistance, please contact TUNE Support and provide:
- Screenshot of your Google SAML configuration (mask any sensitive URLs)
- Exact error message you're seeing (screenshot preferred)
- Test email address you used for testing
- Your TUNE domain (e.g., acme-network.hasoffers.com)
- Steps you've already tried from the troubleshooting section