Search
Clear search
Close search
Google apps
Main menu

    SAML-based Federated SSO

    Set up your own SAML application

    Using Security Assertion Markup Language (SAML), a user can use their G Suite credentials to sign in to enterprise cloud applications via Single Sign-On (SSO). An identity and access management (IAM) service provides administrators with a single place to manage all users and cloud applications. You don't have to manage individual user IDs and passwords tied to individual cloud applications for each of your users. An IAM service provides your users with a unified sign-on across all their enterprise cloud applications.

    Configure the pre integrated cloud applications

    To configure a third-party pre integrated cloud application as a service provider (SP):

    1. Sign in to your Google Admin console.

      Sign in using your administrator account (does not end in @gmail.com).

    2. Click Apps SAML apps.Where is it?
    3. Select the Add a service/App to your domain link or click the plus (+) icon in the bottom corner.
      A window opens with a list of pre integrated cloud applications.
    4. Select a pre integrated cloud application. 
      These applications have preconfigured settings to establish SSO with G Suite.
    5. Click Setup.

    For details on completing the different setup installation processes see Amazon Web Services®, BlueJeans®,  Box®,  Cigna®, Concur®Coupa®, DocuSign®, Dropbox®, Elastica®,  Freshdesk®,  GoToMeeting®,  Greenhouse®, Jive®, Marketo®, NetSuite®, New Relic®, Office 365®, Panorama9®, Salesforce®, ServiceNow®, Slack®, Smartsheet®, SuccessFactors®, SugarCRM®, Tableau®, WebEx®, ​ Workday®Workplace by Facebook®,  Zendesk®, and Zscaler ® 

    Set up your own SAML app

    To establish SSO using SAML for your cloud applications that aren't in the pre integrated apps list:

    1. Sign in to your Google Admin console.

      Sign in using your administrator account (does not end in @gmail.com).

    2. Click Apps SAML apps.Where is it?
    3. Select the Add a service/App to your domain link or click the plus (+) icon in the bottom corner.
    4. Click Setup my own custom SAML App.
      The Google IDP Information window opens and the Single Sign-On URL and the Entity ID URL fields automatically populate.
    5. There are two ways to collect the service provider Setup information:
      You can copy the Entity ID and the Single Sign-On URL field values and download the X.509 Certificate, paste them into the appropriate service provider Setup fields, and then click Next
      or
      You can download the IDP metadata, upload it into the appropriate service provider Setup fields, and then  come back to the admin console and click Next.
    6. In the Basic Application Information window, add an application name and description.
    7. (Optional) Click Choose file next to the Upload Logo field to upload a PNG or GIF file to serve as an icon. The file size should be 256 pixels square.
    8. In the Service Provider Details window, add an ACS URL, an Entity ID, and a start URL. The ACS URL, the Entity ID, and the start URL information are all provided by the service provider, who is the creator of the enterprise cloud application you're configuring for SSO.
    9. Leave Signed Response unchecked.
    10. Click Next.
    11. (Optional) Click Add new mapping and enter a new name for the attribute you want to map.

      Note: You can define a maximum of 100 attributes over all apps. Because each app has one default attribute, the total amount includes the default attribute plus any custom attributes you add. For example, if you have 25 apps you can't add more than 3 attributes to each. Once you add 3 custom attributes to each you've reached the maximum number of 100, because each of the 25 apps always has a default attribute.

    12. In the drop-down list, select the Category and User attribute to map the attribute from the G Suite profile.
    13. Click Finish.

    Turn on SSO to your new SAML app

    1. Sign in to your Google Admin console.

      Sign in using your administrator account (does not end in @gmail.com).

    2. Go to Apps SAML apps.
    3. Select your new SAML app.
      At the top of the gray box, click More Settingsand choose:
      • On for everyone to turn on the service for all users (click again to confirm).
      • Off to turn off the service for all users (click again to confirm).
      • On for some organizations to change the setting only for some users.
    4. Ensure that your user account email IDs match those in your G Suite domain.

    Verify SSO between G Suite and your new SAML app

    1. Open the single sign-on URL for your new SAML app. You should be automatically redirected to the G Suite sign-in page.
    2. Enter your sign-in credentials.
    3. After your sign-in credentials are authenticated you will be automatically redirected back to your new SAML app.
    Was this article helpful?
    How can we improve it?
    Sign in to your account

    Get account-specific help by signing in with your G Suite account email address, or learn how to get started with G Suite.