This group of articles describes how to set up SSO with a third-party identity provider (IdP), when Google is the service provider (SP). For SSO setup help when Google is your IdP, see SAML-based Federated SSO.
To set up SAML-based SSO with a third-party IdP, step through the process by following the blue links or the arrows above:
- Service provider SSO set up
- SAML key and verification certificate creation and upload
- SSO sign in
- Network Mapping results
- (Optional) Override SSO for selected organizational units or groups
For more information on setting up partial SSO, check out the following video overview.
About single sign-on (SSO)
SSO lets users sign in just one time to get access to all their enterprise cloud applications. When SSO is set up, users can sign in to their third-party IdP, then access Google apps directly without a second sign-in, with these exceptions:
- Even if they've already signed in to their IdP, as an extra security measure, Google will sometimes ask them to verify their identity. For more information, (and details on how to disable this verification if necessary), see Understanding SAML secure sign-in.
- You can set up additional two-step verification for users who access Google services. Two-step verification is normally bypassed when SSO is turned on. See Enable challenges with SSO.
SSO is also available on Chrome devices. For details, see Configure SAML single sign-on for Chrome Devices.
Pre-2.1 Android devices use Google authentication. If you try to sign in with these devices, you are prompted for your full managed Google account email address (including username and domain), and you go directly to the application after you sign in. Google does not redirect you to the SSO sign-in page, regardless of the network mask.
With iOS applications, when the SSO Sign-in page URL starts with "google." (or some variation), the Google iOS app is redirected to Safari. This causes the SSO process to fail. The full list of forbidden prefixes is:
You'll need to change any SSO Sign-in page URLs that have these prefixes.
How does the password change URL affect password changes?
If you specify a URL in the Change password URL option, all users, other than super administrators, who try to change their password at https://myaccount.google.com/ will be directed to the URL you specify. This setting applies even if you do not enable SSO. Also, network masks do not apply.
To resolve common issues, see Troubleshoot single sign-on. There are also a number of commercial products and system integrators that provide SSO products and professional services. Search the Google Workspace Marketplace for partners and other third parties that provide SSO assistance.
Note: Google Workspace support does not provide implementation support for SSO with third-party IdPs.