YouTrack Standalone 2021.1 Help

YouTrack as SAML Identity Provider for Google Apps for Work

When you configure a YouTrack server as the Identity Provider for your Google Apps instance, end-users can log into Google Apps with their credentials in YouTrack or any other authentication module enabled in YouTrack.

This configuration also enables single-sign-on. When a user logs into one of the services that is connected to YouTrack, they are logged into all connected services.

Before you start, verify the following prerequisites:

  • You must have administrative privileges in both Google Apps for Work and YouTrack.

  • To log into Google Apps with YouTrack, a user must have a registered account in Google Apps. In Google Apps, it is not allowed to create new users automatically via SAML.

  • You must have the SSL certificate file that you use for SAML 2.0 in YouTrack. You will need to upload this file to Google Apps during the configuration.

Due to the Google Apps requirements, only end-users can log into Google Apps using a third-party SAML IdP (in this case, YouTrack). Google Apps administrators can only log in directly on the Google Admin console login page. For details, refer to this Google documentation page.
Keeping this in mind, use a non-administrative account to test the SAML configuration.

To configure your Google Apps instance:

  1. In your Google Apps instance, sign in to the Admin Console.

    Saml ga admin console

  2. Open the Security page.

  3. Select the Set up single sign-on (SSO) panel.

  4. Enable the Setup SSO with third party identity provider option.

    Saml ga security sso

  5. Configure the parameters:
    ParameterDescription
    Sign-in page URLPaste the content of the Sign In URL field on More Settings > SAML2.0 > Settings page of the YouTrack server.
    Sign-out page URLPaste the content of the Sign Out URL field on the More Settings > SAML2.0 > Settings page of the YouTrack server.
    Change password URLIf you want to redirect all your end-users who try to change their passwords at Google Apps to YouTrack, then enter the URL of the login page of your YouTrack instance in the following format: <YouTrack server Base URL>/auth/login For details, refer to the Google Apps documentation page.
    Verification certificateUpload the file of the SSL certificate that is packed in the SSL key store set up for SAML in YouTrack.
    Use a domain specific issuerChoose whether Google should whether to include a standard or domain specific issuer. Standard issuer is google.com. Format of the domain specific issuer is google.com/a/<your domain> For details, refer to the Google Apps documentation page.
    Network masksProvide a semicolon-separated list of IP addresses that should always be routed through YouTrack for authentication. By default, we recommend that you leave the field blank to authenticate all end-users via YouTrack.
  6. In YouTrack, select SAML 2.0 from the Access Management section of the Administration menu.

  7. Select the Registered Service Providers tab.

  8. Click the Register service provider button.

  9. In the dialog, enter the parameters of your Google Apps instance:
    ParameterDescription
    NameEnter a name to be displayed for the Google Apps instance in YouTrack.
    IssuerEnter either standard or domain-specific issuer depending on the Use a domain specific issuer option status.
    DescriptionOptionally, enter a description of the Google Apps instance.
    Consumer URLPaste the Access Consumer Service (ACS) URL of your Google Apps instance in the format: https://www.google.com/a/<yourdomain.com>/acs
    YouTrack should send LogoutResponseEnable the option.
Last modified: 08 March 2021