Set up SSO using 3rd party IdPs

Service provider SSO set up

The SAML-based Federated SSO article describes the SAML instance where Google is the identity provider (IdP). This article describes the SAML instance where Google is the service provider and uses third-party IdPs.

Set up SSO

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Security and then Set up single sign-on (SSO).

    To see Security, you might have to click More controls at the bottom. 

  3. Check the Setup SSO with third party identity provider box.
  4. Enter the following URLs to your third-party IdP:
    • Sign-in page URL: The page where users sign in to your system and to Google.
    • Sign-out page URL: The page where users are redirected to after signing off.

Note: All URLs must be entered and must use HTTPS, for example https://sso.domain.com.

The issuer is the entity ID element in the SAML request to the IdP.

If a username is provided in the SAML assertion without the domain suffix, it is automatically mapped to the primary domain.

You can choose whether to include a standard or domain specific issuer. When multiple domains are using SSO with the same IdP aggregator, a specific issuer can be parsed by the IdP aggregator to identify the correct domain name for the SAML request.

If you don't check the box to enable a domain specific issuer, Google will send the standard issuer, google.com, in the SAML request. If you check the box to enable this feature, Google will send an issuer specific to your domain, google.com/a/your_domain.com, where your_domain.com is replaced with your actual primary domain name.

Was this article helpful?
How can we improve it?