As the administrator, you need the elements and attributes listed in the following tables for SAML 2.0 SSO assertions returned to the Google Assertion Consumer Service (ACS) after the identity provider (IdP) has authenticated the user.
Guidance for attributes
If you've set up SSO via a third-party Identity provider and your IdP's SAML assertion includes an <AttributeStatement>, Google will store these attributes until the user's Google Account session expires. (Session length varies and is configurable by the administrator.) After the account session expires, attribute information is permanently deleted within a week.
As with custom attributes in Directory, assertion attributes shouldn't include sensitive personally identifiable information (PII), such as account credentials, government ID numbers, cardholder data, financial account data, healthcare information, or sensitive background information.
Recommended uses for assertion attributes would include:
- User IDs for internal IT systems
- Session-specific roles
You can only pass a maximum of 2kB of attribute data in your assertions. Assertions that exceed the maximum allowed size will be rejected altogether, and cause the sign-in to fail.
Supported character sets
The supported character set depends on whether you’re using SSO profiles or the legacy SSO profile:
- Legacy SSO profile—Attribute values must be low-ASCII strings (Unicode/UTF-8 characters are not supported and will cause the sign-in to fail).
- SSO profiles—Unicode/UTF-8 characters are supported.
Return assertions to the ACS
Troubleshoot problems
To troubleshoot issues with these assertions, use the network inspector. For instructions, see the
Google Admin Toolbox HAR Analyzer page.
If you need to contact support, use a disposable test account because the HTTP Archive (HAR) capture contains the the username and password in clear text. Or, edit the file to delete sensitive interactions between the user and the IdP. Contact
Google Workspace support.
The SAMLRequest sent to your IdP contains the relevant AssertionConsumerServiceURL. If your SAMLResponse is sent to another URL, there could be a configuration issue with your IdP.
Name ID element
| Field |
NameID element in the Subject element.
|
| Description |
NameID identifies the subject which is the user's primary email address.
It is case-sensitive.
|
|
Required
Value
|
user@example.com
|
| Example |
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">user@example.com
</saml:NameID> |
Recipient attribute
| Field |
Recipient attribute in the SubjectConfirmationData element
|
| Description |
Recipient specifies the assertion consumer service URL of the service provider for which the assertion is intended.
|
|
Required
Value
|
The ACS URL value from service provider (SP) details section of the SSO profile.
|
| Example |
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData
NotOnOrAfter="2014-11-05T17:37:07Z"
Recipient="https://accounts.google.com/samlrp/0abc123/acs"
InResponseTo="midihfjkfkpcmbmfhjoehbokhbkeapbbinldpeen">
</saml:SubjectConfirmationData>
</saml:SubjectConfirmation> |
Audience element
| Field |
Audience element in the AudienceRestriction parent element |
| Description |
Audience is a URI reference that identifies the intended audience of the assertion.
|
|
Required
Value
|
The Entity ID value from the service provider (SP) details section of the SSO profile.
|
| Example |
<saml:Conditions
NotBefore="2014-11-05T17:31:37Z"
NotOnOrAfter="2014-11-05T17:37:07Z">
<saml:AudienceRestriction>
<saml:Audience>https://accounts.google.com/samlrp/0abc123
</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
|
Destination attribute
| Field |
Destination attribute of the Response element
|
| Description |
Destination is a URI reference indicating the address to which this response has been sent.
|
|
Required
Value
|
This is an optional attribute; if it's set, it should be the ACS URL value from the service provider (SP) details section of the SSO profile. |
| Example |
<saml:Response
Destination="https://accounts.google.com/samlrp/0abc123/acs"
ID="resp-53450fcf-d45e-420f-9246-262e165563cb"
InResponseTo="_cc1ca69615a0e8719426e7a250557c5b">
IssueInstant="2024-10-04T20:17:38.726Z"
Version="2.0">
...
</saml:Response> |
Note: The SAML assertion can only contain standard ASCII characters.
Name ID element
| Field |
NameID element in the Subject element.
|
| Description |
NameID identifies the subject which is the user's primary email address.
It is case-sensitive.
|
|
Required
Value
|
user@example.com
|
| Example |
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">user@example.com
</saml:NameID> |
Recipient attribute
| Field |
Recipient attribute in the SubjectConfirmationData element
|
| Description |
Recipient specifies additional data required for the subject.
example.com is probably the primary domain of your Google Workspace or Cloud Identity account, even if the user being authenticated uses a secondary domain in the same Google Workspace or Cloud Identity account.
|
|
Required
Value
|
https://www.google.com/a/example.com/acs
or
https://accounts.google.com/a/example.com/acs
|
| Example |
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData
NotOnOrAfter="2014-11-05T17:37:07Z"
Recipient="https://www.google.com/a/example.com/acs"
InResponseTo="midihfjkfkpcmbmfhjoehbokhbkeapbbinldpeen">
</saml:SubjectConfirmationData>
</saml:SubjectConfirmation> |
Audience element
| Field |
Audience element in the AudienceRestriction parent element |
| Description |
Audience is the uniform resource identifier (URI) that identifies the intended audience that requires the value of ACS URI.
example.com is probably the primary domain of your Google Workspace or Cloud Identity account, even if the user being authenticated uses a secondary domain in the same Google Workspace or Cloud Identity account.
This element value can’t be empty.
|
|
Required
Value
|
Either of the following:
- google.com
- google.com/a/<your domain> (if you checked "Use a domain specific issuer" in your legacy SSO profile configuration.)
|
| Example |
<saml:Conditions
NotBefore="2014-11-05T17:31:37Z"
NotOnOrAfter="2014-11-05T17:37:07Z">
<saml:AudienceRestriction>
<saml:Audience>google.com/a/example.com</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
|
Destination attribute
| Field |
Destination attribute of the Response element
|
| Description |
Destination is the URI of where the SAML assertion is being sent.
It is an optional attribute, but if it is declared, it will need a value of the ACS URI.
example.com is probably the primary domain of your Google Workspace or Cloud Identity account, even if the user being authenticated uses a secondary domain in the same Google Workspace or Cloud Identity account.
|
|
Required
Value
|
https://www.google.com/a/example.com/acs
or
https://accounts.google.com/a/example.com/acs
|
| Example |
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_7840062d379d82598d87ca04c8622f436bb03aa1c7"
Version="2.0"
IssueInstant="2014-11-05T17:32:07Z"
Destination="https://www.google.com/a/example.com/acs"
InResponseTo="midihfjkfkpcmbmfhjoehbokhbkeapbbinldpeen"> |
