Setting up Google Single sign-on with optional two-factor authentication

This article provides a step-by-step guide for setting up Google Single Sign-On (SSO) with optional two-factor authentication (2FA) for staff. It outlines the necessary permissions, preparation steps, and the process to enable SSO and 2FA, including IP whitelisting for easier access. The article emphasizes the importance of using 2FA for enhanced security and provides troubleshooting resources for common issues.

We have different resources available, depending on whether you would like to set up Single sign-on with optional two-factor authentication, or just two-factor authentication.

If you wish to set up Microsoft single sign-on with two-factor authentication, see our other guide.

Follow the instructions below to set up Google single sign-on with two-factor authentication.

How long will it take?

  • Completing the checklist to prepare - varies depending on the actions needed, can take time to update staff email addresses
  • Switch on SSO - 2 minutes
  • Switch on Two-factor authentication - 2 minutes
  • Add IP Whitelisting - 2 minutes

Permissions

  • You'll need either the Staff: User Details: Administer or School: General Admin: Administer permissions to set this up on the School MIS - if you don't have the permission, you'll need to ask your admin team to give you permission using these instructions.
  • You'll need the User Details: Manage All Users permission to set this up on the MAT MIS - if you don't have the permission, someone will need to assign you a new Business Role that contains this permission.

 

What is Google Single sign-on (SSO)?

Google SSO is a secure authentication system that is free to use and makes logging in easier for your staff because they can sign into Arbor using their Google account.

We strongly recommend using two-factor authentication with single sign-on. This adds an extra layer of security when logging in, which means that even if someone else knows a staff member’s Google email address and password, they won’t be able to log in without the generated authenticator app code (see the section below).

If you have single sign-on enabled, your staff can still log into the MIS in the standard way (using their email address and password) if they prefer. See this article for how they can do this.

Two-factor authentication

Two-factor authentication adds an extra layer of security for your MIS designed to ensure that your staff are the only people who can access their accounts using a code generated on their phone, even if someone else knows their Arbor password.

We recommend Google Authenticator as it’s free, but you can use other authentication applications instead, such as Microsoft Authenticator or Authy.

You can set it so only people logging in with Username and Password need to use Two-factor authentication, but users signing in using Single sign-on don't.

IP whitelisting

As part of two-factor authentication, you can use IP whitelisting to make it quicker for your staff to log in when they are at your site. You can allow staff to log into the MIS from your public/external IP address without needing to complete the second step of the two-factor authentication.

IP Whitelisting allows you to create lists of trusted public/external IP addresses or IP ranges from which your staff can access your MIS. When using a trusted IP address, the second step of the two-factor authentication is not required, and your staff will only need to input their email/username and password (no verification code needed) to log in.

 

Who can set up these features?

Google Single Sign-On and Two-factor authentication are available for all schools and MATs to set up and use no matter what package you've purchased.

Please note that we're not able to help you with any issues you might have with your Google setup - if you're having trouble, please contact Google support.

 

Before setting up single sign-on

There are some steps you must complete before you start using Google single sign-on and two-factor authentication.

  1. Check staff have their Google email as their default work email address - Your staff will need to use their Google email address to log into Arbor using Google single sign-on. Set each staff member’s Google email address as their Work and Default email address on their Staff Profile. Every staff member’s email must be different. See our article on adding email addresses for more help. If you turn on single sign-on and two-factor authentication before you change your staff’s email address, they may not be able to log on.
  2. Let your staff know of any changes - If you’ve changed any staff’s default email addresses, they’ll only be able to log in using this new email address. Let your staff know what email address to log in with.
  3. Check staff know their password (if you’ll be using two-factor authentication) - During the first login, staff will be asked to verify their identity by filling in their Arbor password. This is only done once, and only if you have two-factor authentication enabled.
  4. Ask staff to download your authentication app (if you’ll be using two-factor authentication) - Your staff will need to have downloaded the authentication app you’ll use (e.g. Google Authenticator) so they can receive their access code to log in if you’ll be using two-factor authentication. If they have not downloaded the app and completed the setup, your staff will not be able to log in.
  5. Find out your IP address (optional) - This is required if you choose to use IP whitelisting. Find out your IP address by typing ‘What is my IP’ into Google. Remember the results depend on where you currently are, so the IP address in a different location will be different.

 

Setting up single sign-on

Step 1 - Turn on single sign-on

To get to the setup page, go to:

  • School > Users & Security > Users > Single Sign-On Setup on the School MIS
  • Group Staff > Users & Security > Authentication Setup > Single Sign-On Setup on the MAT MIS

Screenshot_2023-01-11_at_10.06.48.png

 

To enable single sign-on, click the Enable logging in with box and select Google. Then click the Save settings button at the bottom of the page.

Screenshot_2022-12-01_at_14.19.28.png

 

When your staff log in, they can select the Log in with Google option to log in using their Google work account.

Top Tip: If at any point in the future you would like to switch off Google SSO, just change this back to the ‘Do not enable single sign-on’ option.

login_with_google.png

Step 2 (optional) - Turn on Two-factor authentication

You can turn on two-factor authentication from the same page that you set up single sign-on, go to:

  • School > Users & Security > Users > Single Sign-On Setup on the School MIS
  • Group Staff > Users & Security > Authentication Setup > Single Sign-On Setup on the MAT MIS

To turn on two-factor authentication, click the Enable two-factor authentication using… box and select Authentication app, then click the Save settings button.

Tick the Bypass two-factor authentication for SSO accounts? box if you want to only require Two-factor authentication when using the Arbor Username and Password, but not when logging in with Single sign-on (SSO). 

Screenshot_2023-01-11_at_10.07.35.png

 

When staff log in once they have set up the app, they will need to enter the security code from their app into Arbor to log in.

Top Tip: If at any point in the future you would like to switch two-factor authentication off, change this back to the ‘Do not enable two-factor authentication’ option.

add_authentication.png

Step 3 (optional if using two-factor authentication) - Add IP Whitelisting

Using this section, you can add your IP address (or a range of addresses) to your whitelist.

Top Tips:

  • Find out your IP address by typing ‘What is my IP’ into Google.
  • You must use your public/external IP, not a private or internal IP.

IP Whitelisting allows you to create lists of trusted IP addresses or IP ranges from which your staff can access your MIS without the need to use two-factor authentication. When using a trusted IP address, the second step of the two-factor authentication is not required, and your staff will only need to log in using their standard login email and password, with no verification code required.

When using a different IP address, they will still need to complete the second step of two-factor authentication when logging in.

Click +Add in the IP Whitelist section.

Screenshot_2022-12-01_at_14.20.03.png

 

In the slide over type in the IP address and click the Save changes button.

add_new_IP.png

 

 

What's next?

Was this article helpful?
0 out of 2 found this helpful
I'm still stuck!

Comments

0 comments

Article is closed for comments.