Skip to content

Google Workspace

This guide walks you through configuring Google Workspace as your SAML identity provider for the application you are onboarding, enabling secure single sign-on for your users. You’ll learn how to set up an enterprise application and configure SAML settings to the host application. By following these steps, your users will be able to seamlessly authenticate using their Google Workspace credentials.

  1. Create a custom SAML app in Google Workspace

    Section titled “Create a custom SAML app in Google Workspace”

    Google allows you to add custom SAML applications that connect with Scalekit over the SAML protocol. This is the first step in establishing a secure SSO connection.

    Prerequisites: You need a super administrator account in Google Workspace to complete these steps.

    1. Go to Google Admin console (admin.google.com)
    2. Select AppsWeb and mobile apps
    3. Click Add appAdd custom SAML app
    4. Provide an app name (e.g., “YourApp”) and upload an app icon if needed
    5. Click Continue

    Custom SAML app Creating a new custom SAML application in Google Workspace

    Get Google identity provider details:

    On the Google identity provider details page, you’ll need to collect setup information for Scalekit. You can either:

    • Download the IDP metadata file, or
    • Copy the SSO URL and Entity ID and download the Certificate

    Your SSO config portal connects with Google IdP using three essential pieces of information:

    • SSO URL
    • Entity ID
    • Certificate

    Copy these values from the Google console and paste them into your config portal.

    Google IdP Details Essential SAML configuration details from Google Workspace

    Note: Keep this page open as you’ll need to return to it after configuring Scalekit’s service provider details.

  2. Configure the service provider in Google Admin console

    Section titled “Configure the service provider in Google Admin console”

    In your SSO configuration portal:

    1. Navigate to Single sign-on (SSO) → Google Workspace → SAML 2.0
    2. Select the organization you want to configure
    3. Copy these critical details from the SSO settings:
      • ACS URL (Assertion consumer service URL)
      • SP Entity ID (Service provider entity ID)
      • SP Metadata URL

    SSO Config Portal Service provider configuration details in SSO portal

    In Google Admin console:

    1. Paste the copied details into their respective fields
    2. Select “Email” as the NameID format (this serves as the primary user identifier during authentication)
    3. Click Continue

    Google Workspace Configuring service provider details in Google Workspace

  3. User profile attributes in Google IdP need to be mapped to your application’s user attributes for seamless authentication. The essential attributes are:

    • Email address
    • First name
    • Last name

    To configure these attributes:

    1. Locate the Attribute mapping section in your identity provider’s application
    2. Map the Google attributes to your application attributes as shown below

    User profile attributes Mapping user attributes between Google Workspace and your application

  4. Control access to your application by assigning specific users or groups:

    1. Go to the User/group assignment section in your identity provider application
    2. Select and assign the user groups that need access to your application via SSO

    Group assignment Assigning user groups for SSO access

  5. Copy Google identity provider details:

    From your Google Workspace, copy the IdP details shown during custom app creation:

    Google IdP details Identity provider details from Google Workspace

    Update Scalekit configuration:

    In your SSO configuration portal, navigate to the Identity provider configuration section. Paste the Google IdP details into the appropriate fields: Entity ID, SSO URL, and x509 certificates.

    Update IdP details in SSO config portal Updating identity provider configuration in SSO portal

    Click Update to save the configuration.

  6. Verify your SAML SSO configuration:

    1. Click Test connection in the SSO configuration portal
    2. If successful, you’ll see a confirmation message:

    Test Single Sign On Successful SSO connection test

    If there are any configuration issues, the test will identify them and provide guidance for correction.

  7. Once you’ve verified the configuration:

    1. Click Enable connection to activate SSO for your users

    Enable SSO Connection Enabling the SSO connection

  8. After enabling the connection, test both types of SSO flows to ensure everything works correctly:

    Identity provider (IdP) initiated SSO:

    1. In Google Admin console, go to AppsWeb and mobile apps
    2. Select your custom SAML app
    3. Click Test SAML login at the top left
    4. Your app should open in a separate tab with successful authentication

    Service provider (SP) initiated SSO:

    1. Open the SSO URL for your SAML app
    2. You should be automatically redirected to the Google sign-in page
    3. Enter your Google Workspace credentials
    4. After successful authentication, you’ll be redirected back to your application

    Troubleshooting: If either test fails, check the SAML app error messages and verify your IdP and SP settings match exactly.

Congratulations! You have successfully configured Google SAML for your application. Your users can now securely authenticate using their Google Workspace credentials through single sign-on.