Cube Cloud supports authenticating users through Google Workspace, which is useful when you want your users to access Cube Cloud using single sign on. This guide will walk you through the steps of configuring SAML authentication in Cube Cloud with Google Workspace. You must be a super administrator in your Google Workspace to access the Admin Console and create a SAML integration.Documentation Index
Fetch the complete documentation index at: https://cubed3-docs-cub-2416-update-semantic-snowflake-semantic-vie.mintlify.app/llms.txt
Use this file to discover all available pages before exploring further.
Available on Enterprise plan.
Enable SAML in Cube Cloud
First, we’ll enable SAML authentication in Cube Cloud. To do this, log in to Cube Cloud and- Click your username from the top-right corner, then click Team & Security.
- On the Authentication & SSO tab, ensure SAML is enabled:
Create a SAML Integration in Google Workspace
Next, we’ll create a SAML app integration for Cube Cloud in Google Workspace.- Log in to admin.google.com as an administrator, then navigate to Apps → Web and Mobile Apps from the left sidebar.
- Click Add App, then click Add custom SAML app:
- Enter a name for your application and click Next. You can optionally add a description and upload a logo for the application, but this is not required. Click Continue to go to the next screen.
- Take note of the SSO URL, Entity ID and Certificate values here, as we will need them when we finalize the SAML integration in Cube Cloud. Click Continue to go to the next screen.
- Enter the following values for the Service provider details section and click Continue.
| Name | Description |
|---|---|
| ACS URL | Use the Single Sign On URL value from Cube Cloud |
| Entity ID | Use the Service Provider Entity ID value from Cube Cloud |
- On the final screen, click Finish.
- From the app details page, click User access and ensure the app is ON for everyone:
Enable SAML in Cube Cloud
In this step, we’ll finalise the configuration by entering the values from our SAML integration in Google into Cube Cloud.- From the same Authentication & SSO > SAML tab, click the Advanced Settings tab:
- Enter the following values in the SAML Settings section:
| Name | Description |
|---|---|
| Audience (SP Entity ID) | Delete the prefilled value and leave empty |
| IdP Issuer (IdP Entity ID) | Use the Issuer value from Google Workspace |
| Identity Provider Login URL | Use the Sign on URL value from Google Workspace |
| Certificate | Use the Signing Certificate value from Google Workspace |
- Enable Auto-provision new users if you want users to be automatically created in Cube on their first login via this SAML provider. New users are assigned the Viewer role by default — see Default role for new users to choose a different role. Enable this if you are not using SCIM provisioning.
- Scroll down and click Save SAML Settings to save the changes.
Default role for new users
By default, users auto-provisioned via SAML receive the Viewer role. To assign a different role, expand the Advanced section of the SAML configuration form and pick from Default role for new users:- Developer, Explorer, or Viewer — Cube Cloud’s default roles.
- Any custom role defined in your account, listed below the divider.
rolesMap).
Admin status is not assignable through this picker — Admin is controlled
separately. To grant admin permissions, update the user’s role manually
under Admin → Users.
Test SAML authentication
To start using SAML authentication, use the single sign-on URL provided by Cube Cloud (typically<YOUR_CUBE_CLOUD_URL>/sso/saml) to log in to Cube Cloud.