With single sign-on (SSO), users can access many applications without having to enter their username and password for each application. Security Assertion Markup Language (SAML) is an XML standard that enables secure web domains to exchange user authentication and authorization data.
The roles of service providers and identity providers
Google offers a SAML-based SSO service that allows partner companies to authorize and authenticate hosted users who are trying to access secure content. Google acts as the online service provider and provides services, such as Google Calendar and Gmail. Google partners act as online identity providers and control usernames, passwords and other information used to identify, authenticate, and authorize users for web applications that Google hosts.
Many open source and commercial identity providers can help you implement SSO with Google.
SAML verification certificates
To set up SSO with third-party IdPs where Google is the service provider, you need to upload one or more verification certificates. The certificate contains the public key which verifies sign-in from the IdP.
- If you’re configuring the Third-party SSO profile for your organization, you upload one verification certificate.
- If you’re creating a new SAML SSO profile, you can upload two certificates, giving you the option to rotate certificates.
You’ll usually get these certificates from your IdP. However, you can also generate them yourself.
Requirements
- The certificate must be a PEM or DER formatted X.509 certificate with an embedded public key.
- The public key must be generated with the DSA or RSA algorithms.
- The public key in the certificate must match the private key used to sign the SAML response.
