Search
Clear search
Close search
Google apps
Main menu
true

SSO assertion requirements

The following elements and attributes are required for any SAML 2.0 SSO assertions returned to the Google Assertion Consumer Service (ACS) after the identity provider (IdP) has authenticated the end-user.

Field <NameID> element in the <Subject> element
 
Description The NameID identifies the subject which is the Google email address
 

Required

Value

user@<yourdomain.com>
 
Example <saml:Subject>
<saml:NameID
SPNameQualifier="google.com/a/yourdomain.com"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:email"
>user@yourdomain.com</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData NotOnOrAfter="2014-11-05T17:37:07Z"
Recipient="https://www.google.com/a/yourdomain.com/acs"
InResponseTo="midihfjkfkpcmbmfhjoehbokhbkeapbbinldpeen"
</saml:SubjectConfirmation>
</saml:Subject>
 

 

Field <Recipient> attribute in the <SubjectConfirmationData> element
 
Description

The <Recipient> attribute specifies additional data required for the subject.

Note: Case sensitive.

Required

Value

https://www.google.com/a/<yourdomain.com>/acs
 
Example <saml:Subject>
<saml:NameID SPNameQualifier="google.com/a/yourdomain.com"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:email"
>user@yourdomain.com</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData NotOnOrAfter="2014-11-05T17:37:07Z"
Recipient="https://www.google.com/a/yourdomain.com/acs"
InResponseTo="midihfjkfkpcmbmfhjoehbokhbkeapbbinldpeen"
</saml:SubjectConfirmation>
</saml:Subject>
 

 

Field <Audience> element in the <AudienceRestriction> parent element
Description

URI that identifies the intended audience which requires the value of ACS URI.

Note: element value cannot be empty.

Required

Value

https://www.google.com/a/<yourdomain.com>/acs
Example

<saml:Conditions
NotBefore="2014-11-05T17:31:37Z"
NotOnOrAfter="2014-11-05T17:37:07Z">
<saml:AudienceRestriction>
<saml:Audience>https://wwww.google.com/a/
yourdomain.com/acs</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>

 

Field <Destination> attribute of the <Response> element
 
Description

URI of where the SAML assertion is being sent to.

It is an optional attribute, but if it is declared, it will need a value of the ACS URI.

Required

Value

https://www.google.com/a/<yourdomain.com>/acs
 
Example <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_7840062d379d82598d87ca04c8622f436bb03aa1c7"
Version="2.0"
IssueInstant="2014-11-05T17:32:07Z"
Destination="https://www.google.com/a/yourdomain.com/acs"
InResponseTo="midihfjkfkpcmbmfhjoehbokhbkeapbbinldpeen">
 
Was this article helpful?
How can we improve it?
Sign in to your account

Get account-specific help by signing in with your G Suite account email address, or learn how to get started with G Suite.