When using SAML SSO with Google as your IdP, some service provider applications will need your user’s group membership information to be included in the SAML response.
You can add group membership information on the attribute mapping page, available when configuring either pre-integrated SAML apps or a custom SAML app.
Rules to be aware of
- The number of group names that can be included in the SAML response is limited to 75.
- If a group is renamed (in the Admin console or via the Admin console API), you'll need to re-enter the group in the Group membership field to ensure the new group name is sent in the SAML response.
The group membership information that gets sent in the SAML response for a particular user will depend on that user’s group memberships, as well as the group structure in your domain—for example, how groups are nested.
Assume that the group names Group-1 and Group-2 are entered in the Group membership field during configuration, as shown here:
When Group-1 and Group-2 are the configured groups, the following table shows how outcomes vary for different group membership scenarios:
|If the user is part of:||SAML response sends:|
|50 groups, including Group-1, but not Group-2||Group-1|
|Group-2, and Group-2 is part of Group-1||Group-1 and Group-2|
|Group-3, and Group-3 is part of Group-1||Group-1|
|Group 1 and Group 2, and Group-2 is a member of Group-1||Group-1 and Group-2|