Set up your own custom SAML app

Using SAML-based SSO

Single sign-on (SSO) lets users sign in to all their enterprise cloud apps using their managed Google Account credentials. Google offers preintegrated SSO with over 200 popular cloud apps.

Perform these steps to set up SAML-based SSO with a custom app that is not in the preintegrated catalog.

Set up your own custom SAML app

Expand all  |  Collapse all

Step 1: Add the custom SAML app
  1. Sign in to your Google Admin console.

    Sign in using an account with super administrator privileges (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Appsand thenWeb and mobile apps.
  3. Click Add Appand thenAdd custom SAML app.
    Enter the app name and, optionally, upload an icon for your app. The app icon appears on the Web and mobile apps list, on the app settings page, and in the app launcher. If you don't upload an icon, an icon is created using the first two letters of the app name.
  4. Click Continue.
  5. On the Google Identity Provider details page, get the setup information needed by the service provider using one of these options:
    1. Download the IDP metadata.
    2. Copy the SSO URL and Entity ID and download the Certificate (or SHA-256 fingerprint, if needed).
  6. (Optional) To enter the information into the appropriate SSO configuration page, in a separate browser tab or window, sign in to your service provider and enter the information you copied in Step 5, then return to the Admin console.
  7. Click Continue.
  8. Contact your service provider for these field values. In the Service Provider Details window, enter:
    1. ACS URL—The service provider's Assertion Consumer Service URL receives the SAML response. It must start with https://.
    2. Entity ID—The globally unique name.
    3. Start URL—(Optional) This sets the RelayState parameter in a SAML Request, which can be a URL to redirect to after authentication.
  9. (Optional) To indicate that your service provider requires the entire SAML authentication response to be signed, check the Signed response box. If this is unchecked (the default), only the assertion within the response is signed.
  10. (Optional) Set Name ID format and Name ID value for your custom SAML app. The default Name ID is the primary email.
    Tip: Check the setup articles in our SAML apps catalog for any Name ID mappings required for apps in the catalog.  You can also create custom attributes, either in the Admin console or via Google Admin SDK APIs, and map to those.
  11. Click Continue.
  12. If needed, click Add mapping to map user attributes based on the service provider’s requirements.
    Note: You can define a maximum of 10,000 attributes over all apps. Because each app has one default attribute, the count includes the default attribute plus any custom attributes you add.
    1. For Google Directory attributes, click the Select field menu to choose a field name. Not all Google directory attributes are available in the drop-down list. If an attribute you want to map (for example, Manager's email) is not available, you can add that attribute as a custom attribute, which will make it available here for selection.
    2. For App attributes, enter the corresponding attribute for your custom SAML app.
  13. (Optional) To enter group names that are relevant for this app:
    1. For Group membership (optional), click Search for a group, enter one or more letters of the group name, and select the group name.
    2. Add additional groups as needed (maximum of 75 groups).
    3. For App attribute, enter the groups attribute name of the corresponding service provider.

    Regardless of how many group names you enter, the SAML response includes only groups that a user is a member of (directly or indirectly). For more information, go to About group membership mapping.

  14. Click Finish.
Step 2: Turn on your SAML app
  1. Sign in to your Google Admin console.

    Sign in using an account with super administrator privileges (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Appsand thenWeb and mobile apps.
  3. Select your SAML app.
  4. Click User access.
  5. To turn a service on or off for everyone in your organization, click On for everyone or Off for everyone, and then click Save.

  6. (Optional) To turn a service on or off for an organizational unit:
    1. At the left, select the organizational unit.
    2. To change the Service status, select On or Off.
    3. Choose one:
      • If the Service status is set to Inherited and you want to keep the updated setting, even if the parent setting changes, click Override.
      • If the Service status is set to Overridden, either click Inherit to revert to the same setting as its parent, or click Save to keep the new setting, even if the parent setting changes.
        Note: Learn more about organizational structure.
  7. To turn on a service for a set of users across or within organizational units, select an access group. For details, go to Use groups to customize service access.
  8. Ensure that the email addresses your users use to sign in to the SAML app match the email addresses they use to sign in to your Google domain.

Changes can take up to 24 hours but typically happen more quickly. Learn more

Step 3: Verify that SSO is working with your custom app

You can test for both identity provider-initiated (IdP) SSO and service provider-initiated (SP) SSO.

IdP-initiated

  1. Sign in to your Google Admin console.

    Sign in using an account with super administrator privileges (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Appsand thenWeb and mobile apps.
  3. Select your custom SAML app. 
  4. At the top left, click Test SAML login

    Your app should open in a separate tab. If it doesn’t, use the information in the resulting SAML app error messages to update your IdP and SP settings as needed, then retest SAML login.

SP-initiated

  1. Open the SSO URL for your new SAML app. You should be automatically redirected to the Google sign-in page.
  2. Enter your username and password.

    After your sign-in credentials are authenticated, you're redirected back to your new SAML app. 

Related topics

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Main menu
5987249669205499371
true
Search Help Center
true
true
true
true
true
73010
false
false