Set up SSO via a third party Identity provider

Assign SSO profile to organizational units or groups

If you add and enable a third-party SSO profile for your domain, all users in your domain will sign in to Google services via your third-party identity provider. 

If you want some of your users to sign in to Google directly, you can move those users into an organizational unit (OU) or group. Then, manage SSO settings for the OU or group so that those users are authenticated by Google rather than using your third-party IdP. Follow these steps:.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in

  2. From the Admin console Home page, go to Security.
  3. Click Set up single sign-on (SSO) with a third party IdP.
  4. Add and enable a third-party SSO profile for your organization.

    If you want all your (non-super admin) users to sign in using a third-party IdP, you can stop now. If you want some users to sign in to Google directly, continue to the next step. 

  5. Click Manage SSO profile assignments.
  6. If this is your first time assigning the SSO profile, click Get started. Otherwise, click Manage.

    Note: Get started is only available if you’ve already enabled your third-party SSO profile.

  7. On the left, select the organizational unit or group for which you’re assigning the SSO profile.
    • If the SSO profile assignment for an OU or group differs from your domain-wide profile assignment, an override warning appears when you select that OU or group.

    • You can’t assign the SSO profile on a per-user basis. The Users view let you check the setting for a specific user.

  8. For SSO profile assignment, choose None.
    • Users in the OU or group will sign in directly with Google.
    • Other users will sign in to Google services using the IdP designated in your domain’s third-party SSO profile.
  9. Click Save.

To turn SSO off for all users

If you need to turn third-party authentication off for all your users without changing the SSO profile assignment for OUs or groups, you can disable the third-party SSO profile:

  1. Go to Securityand thenSSO with third-party IDPsand thenThird-party SSO profile for your domain.
  2. Uncheck Set up SSO with third-party identity provider
  3. Click Save
Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue

Clear search
Close search
Google apps
Main menu
Search Help Center