Google Workspace SAML

Step-by-step guide to configure single sign-on with Google Workspace as the identity provider

This guide walks you through configuring Google Workspace as your SAML identity provider for the application you are onboarding, enabling secure single sign-on for your users. You'll learn how to set up an enterprise application, configure SAML settings to the host application. By following these steps, your users will be able to seamlessly authenticate using their Google Workspace credentials.

1. Create custom SAML app

Google allows your to add custom SAML application that connects with Scalekit over the SAML protocol.

Go to Google Admin Console (admin.google.com). Select Apps → Web and Mobile Apps. Click Add App → Add custom SAML app.

Custom SAML app

Provide an App Name (e.g., "YourApp") and upload an app icon if needed. Click Continue.

Your SSO config portal connects with Google IdP using SSO URL, Entity ID and Certificate. Copy them from Google console and paste them to your config portal.

Then, click Continue.

Google IdP Details

2. SAML configuration

In your SSO configuration portal navigate to Single Sign-On (SSO) → Google Workspace → SAML 2.0 for the organization you want to configure it for.

Now, copy the following details from the config portal's SSO settings:

• ACS URL (Assertion Consumer Service URL)
• SP Entity ID (Service Provider Entity ID)
• SP Metadata URL

SSO Config Portal

In Google Admin Console, paste the details copied from the SSO configuration portal into the respective fields:

Google Workspace

Select "Email" as the NameID format and click Continue. Google treats this as primary user identifier during authentication.

3. Attribute mapping

User profile attributes are stored in Google IdP under different labels. Map them to the appropriate user attributes between the two systems using Attribute Mapping.

User profile details that are needed for seamless user login are:

• Email Address
• First Name
• Last Name

To configure these attributes, locate Attribute Mapping section in the SAML Configuration page in your Identity Provider's application, and map the attributes with the App attributes as shown in the below image.

User profile attributes

4. Assign users/groups

Control who can access this application by assigning the users in your organization. Go to User/Group assignment section in your Identity Provider application and select and assign all the required user groups that need access to this application via Single Sign-On.

5. Identity provider configuration

In your Google workspace, copy the below details that were shown as you create a custom app.

Google IdP details

In your SSO configuration portal, go to Identity Provider Configuration and paste the Google IdP details into following fields — Entity ID, SSO URL and x509 certificates.

Update IdP details in SSO config portal

Click Update.

6. Test connection

To verify whether the SAML SSO configuration is completed correctly, click on Test Connection on the SSO Configuration Portal.

If everything is done correctly, you will see a Success response as shown below.

Test Single Sign On

If there's a misconfiguration, the test will identify the errors and will offer you a way to correct the configuration right on the screen.

7. Enable connection

After you successfully verified that the connection is configured correctly, you can enable the connection to let your users login to this application via Single Sign-on.

Click on Enable Connection.

Enable SSO Connection

With this, we are done configuring Google SAML for your application to enable an SSO login setup.