SAML SSO FAQ

Contents

What version of SAML does the SSO API support?

We currently support SAML v2.0. Visit http://www.oasis-open.org/specs/index.php#samlv2.0 to find details on the SAML v2.0 standard.

Does SAML SSO work with POP3 or IMAP?

No, SAML only works with the G Suite web applications.

Does SAML SSO work with the Gmail Atom feed?

No, the Gmail Atom feed uses HTTP basic authentication.

Does SAML SSO work with AuthSub?

Yes, SAML does work with AuthSub.

Can we use RSA instead of DSA for the single sign-on implementation?

Yes, you can choose to use RSA or DSA encryption algorithm. We accept both.

How can I generate the verification certificate required for SSO?

X509 certificates generation can be accomplished using the openssl command.

If our domain implements SSO, can we still login to Google directly?

No, with SSO implemented, domain end users can't log in to Google directly. Super administrators can still log in to the Google control panel (e.g http://www.google.com/a/yourdomain.com).

How can the non-persistent session cookie that identifies a user during a browser session be deleted (e.g. upon logout)?

After successful authentication via SAML, Google sets a session cookie to identify an user's session. When the user explicitly logs out (e.g. by clicking the logout button), this cookie needs to be destroyed. If your implementation involves persistent session management ("remember me on this computer" functionality), you may need to control how and when this cookie is destroyed. Upon logout, Google redirects to your logout servlet. In your logout servlet, you may present the user with some options that could determine whether the session cookie should be deleted or not.

Why isn't the Change password URL working?

Changes to the Change password URL in SSO Settings take about an hour to become effective.

Why does the SAMLResponse HTML form work in Firefox but not in Internet Explorer?

It may be due to Internet Explorer misinterpreting the RelayState. Internet Explorer interprets "&ltmpl" as "<mpl". To prevent this from happening, XML special characters should be escaped in the RelayState. Change { &, <, >, ', " } to { &amp;, &lt;, &gt;, &apos;, &quot; }.

How can I allow users to view the partner start page without authenticating?

See this topic in the discussion group for an example SAMLResponse.

What is the Recipient attribute which is required in the SAML Response?

According to section 4.1.4.2 of the SAML 2.0 profiles specification, the Recipient attribute should be equal to the Assertion Consumer Service (ACS) URL. It is located here:

<samlp:Response ...>
  <saml:Assertion ...>
    <saml:Subject>
      <saml:NameID ...>user@domain.com</saml:NameID>
      <saml:SubjectConfirmation ...>
        <saml:SubjectConfirmationData Recipient="https://www.google.com/a/domain.com/acs" .../>
      </saml:SubjectConfirmation>
    </saml:Subject>
  </saml:Assertion>
</samlp:Response>

See the questions below for how you can add the Recipient to the SAML Response.

How do I ensure my third-party identity provider specifies the right Recipient attribute?

If your commercial or open-source identity provider supports SAML 2.0, it should already specify the correct Recipient attribute. If you are getting one of the error messages above, it means that the Recipient attribute is incorrect. If this is the case, contact the vendor or the maintainer of the software and send them the link to this page.

With SSO, can my users authenticate themselves using the admin control panel login URL?

Yes. SAML-based Single Sign On (SSO) allows you to transfer G Suite login authority to your own identity provider software (for example, an existing login portal). Your software controls and manages the authentication of your user accounts, and G Suite will redirect a login attempt to your SSO portal. But it is important to remember your administrators will still be able to manage these services using the Google Admin console's admin login URL (https://www.google.com/a/yourdomain.com). This gives you flexibility if your SSO portal has a problem or needs updating.

What does this error message mean: "This service cannot be accessed because your login request contained no recipient information"?

It means the SAML Response is missing a required Recipient attribute.

What does this error message mean: "This service cannot be accessed because your login request contained invalid recipient information"?

It means the Recipient attribute in the SAML Response does not match the Assertion Consumer Service (ACS) URL.

What does this error message mean: "This account cannot be accessed because the login credentials could not be verified"?

This usually means that the private key used to sign the SAMLResponse does not match the public key certificate that G Suite has on file. Please upload the certificate in the SSO Settings in control panel and retry.

Was this helpful?
How can we improve it?