Set up your own custom SAML application

Using SAML-based SSO

Single sign-on (SSO) lets users sign in to all their enterprise cloud applications using their managed Google account credentials. Google offers pre-integrated SSO with over 200 popular cloud applications. To set up SAML-based SSO with a custom application not in the pre-integrated catalog, follow the steps below.

Note: Automated user provisioning is not available for custom SAML applications. Automated user provisioning is only available for these SAML applications in the pre-integrated catalog. If you're an application developer, you can use this form to request that your app be added to the pre-integrated SAML app catalog.

Set up your own custom SAML app

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Apps and then SAML Apps.

    To see Apps on the Home page, you might have to click More controls at the bottom. 

  3. Click Add Add at bottom right.
  4. Click Set up my own custom app.
    The Google IDP Information window opens and the SSO URL and Entity ID fields automatically populate.
  5. Get the setup information needed by the service provider using one of these methods:
    • Copy the SSO URL and Entity ID and download the Certificate.
    • Download the IDP metadata.
  6. (Optional) In a separate browser tab or window, sign in to your service provider and enter the information you copied in Step 5 into the appropriate SSO configuration page, then return to the Admin console.
  7. Click Next.
  8. In the Basic information window, add an application name and description.
  9. (Optional) Upload a PNG or GIF file to serve as an icon for your custom app. The icon image should be 256 pixels square.
  10. Click Next.
  11. In the Service Provider Details window, enter an ACS URLEntity ID, and Start URL (if needed) for your custom app. These values are all provided by the service provider. 
  12. Click Next.
  13. (Optional) Click Add new mapping and enter a new name for the attribute you want to map.

    Note: You can define a maximum of 500 attributes over all apps. Because each app has one default attribute, the total amount includes the default attribute plus any custom attributes you add.

  14. In the drop-down list, select the Category and User attributes to map the attribute from the Google profile.
    Note: You cannot use Employee ID for attribute mapping.
  15. Click Finish.

Turn on SSO to your new SAML app

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Apps and then SAML Apps.

    To see Apps on the Home page, you might have to click More controls at the bottom. 

  3. Select your new SAML app.
  4. At the top right of the gray box, click Edit Service Compose.

  5. To apply settings to all organizations, click On for everyone or Off for everyone, and then click Save

  6. To apply settings to individual organizational units, do the following: 

    • At the left, select the organizational unit that contains the users whose settings you want to change.
    • To change the setting, select On or Off.
    • To keep the setting the same, even if the parent setting changes, click Override.
    • If the organization's status is already Overridden, choose an option:
      Inherit—Reverts to the same setting as its parent.
      Save—Saves your new setting (even if the parent setting changes).

    Learn more about the organizational structure.

  7. Ensure that your user account email IDs match those in the domain for your Google service.

Verify SSO between your Google service and your new SAML app

  1. Open the single sign-on URL for your new SAML app. You should be automatically redirected to the Google sign-in page.
  2. Enter your sign-in credentials.

    After your sign-in credentials are authenticated, you're automatically redirected back to your new SAML app.

Configure a pre-integrated cloud application

Google offers pre-integrated SSO for over 200 cloud applications. To configure a pre-integrated application:

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Apps and then SAML Apps.

    To see Apps on the Home page, you might have to click More controls at the bottom. 

  3. Click the plus (+) icon in the bottom corner.

    A window opens with a list of pre-integrated cloud applications.

  4. Select a pre-integrated cloud application and follow the steps in the wizard to configure SSO for the app.
Was this helpful?
How can we improve it?