Set up your own custom SAML application

Using SAML-based SSO

Single sign-on (SSO) lets users sign in to all their enterprise cloud applications using their managed Google account credentials. Google offers pre-integrated SSO with over 200 popular cloud applications.

To set up SAML-based SSO with a custom application not in the pre-integrated catalog, follow the steps below.

Set up your own custom SAML app

  1. Sign in to your Google Admin console.

    Sign in using an account with super administrator privileges (does not end in @gmail.com).

  2. From the Admin console Home page, go to Appsand thenWeb and mobile apps.
  3. Click Add Appand thenAdd private SAML app.
  4. On the App Details page, enter the name of the custom app.
  5. Click Continue.
  6. On the Google Identity Provider details page, get the setup information needed by the service provider using one of these options:
    • Download the IDP metadata.
    • Copy the SSO URL and Entity ID and download the Certificate (or SHA-256 fingerprint, if needed).
  7. (Optional) In a separate browser tab or window, sign in to your service provider and enter the information you copied in Step 4 into the appropriate SSO configuration page, then return to the Admin console.
  8. Click Continue.
  9. In the Service Provider Details window, enter an ACS URLEntity ID, and Start URL (if needed) for your custom app. These values are all provided by the service provider. 

    Note: The ACS URL has to start with https://

  10. (Optional) Check the Signed Response box if your service provider requires the entire SAML authentication response to be signed. If this is unchecked (the default), only the assertion within the response is signed. 
  11. The default Name ID is the primary email. Multi-value input is not supported.

    Tip: Check the setup articles in our SAML app catalog for any Name ID mappings required for apps in the catalog. If needed you can also create custom attributes, either in the Admin console or via Google Admin SDK APIs, and map to those. Custom attributes need to be created prior to setting up your SAML app. 

  12. Click Continue.
  13. (Optional) On the Attribute mapping page, click Add another mapping to map additional attributes.
    1. Under Google Directory attributes, click the Select field menu choose a field name.
    2. Under App attributes, enter the corresponding attribute for your custom SAML app.

    Note: You can define a maximum of 1500 attributes over all apps. Because each app has one default attribute, the total amount includes the default attribute plus any custom attributes you add.

  14. Click Finish.

Turn on your SAML app

  1. Sign in to your Google Admin console.

    Sign in using an account with super administrator privileges (does not end in @gmail.com).

  2. From the Admin console Home page, go to Appsand thenWeb and mobile apps.
  3. Select your SAML app.
  4. Click User access.
  5. To turn on or off a service for everyone in your organization, click On for everyone or Off for everyone, and then click Save.

  6. (Optional) To turn a service on or off for an organizational unit:

    1. At the left, select the organizational unit.
    2. Select On or Off.
    3. Click Override to keep your setting if the service for the parent organizational unit is changed.
    4. If Overridden is already set for the organizational unit, choose an option:
      • Inherit—Reverts to the same setting as its parent.
      • Save—Saves your new setting (even if the parent setting changes).

    Learn more about organizational structure.

  7. To turn on a service for a set of users across or within organizational units, select an access group. For details, go to turn on a service for a group.
  8. Ensure that the email addresses your users use to sign in to the SAML app match the email addresses they use to sign in to your Google domain.
Changes typically take effect in minutes, but can take up to 24 hours. For details, see How changes propagate to Google services.  

Verify that SSO is working with your custom app

You can test both Identity Provider (IdP) initiated SSO, and (if your app supports it) Service Provider (SP) initiated SSO.

IdP-initiated

  1. Sign in to your Google Admin console.

    Sign in using an account with super administrator privileges (does not end in @gmail.com).

  2. From the Admin console Home page, go to Appsand thenWeb and mobile apps.
  3. Select your custom SAML app. 
  4. At the top left, click Test SAML login

    Your app should open in a separate tab. If it doesn’t, use the information in the resulting SAML error messages to update your IdP and SP settings as needed, then retest SAML login.

SP-initiated

  1. Open the SSO URL for your new SAML app. You should be automatically redirected to the Google sign-in page.
  2. Enter your username and password.

    After your sign-in credentials are authenticated, you're automatically redirected back to your new SAML app.

Configure a pre-integrated cloud application

Google offers pre-integrated SSO for over 200 cloud applications. To configure a pre-integrated application:

  1. Sign in to your Google Admin console.

    Sign in using an account with super administrator privileges (does not end in @gmail.com).

  2. From the Admin console Home page, go to Appsand thenWeb and mobile apps.
  3. Click Add appand thenSearch for apps.
  4. Enter the SAML app name in the search field.
  5. In the search results, hover over the SAML app and click Select.
  6. Follow the steps in the wizard to configure SSO for the app.
Was this helpful?
How can we improve it?