Set up SSO using 3rd party IdPs
Service provider SSO set up
The SAML-based Federated SSO article describes the SAML instance where Google is the identity provider (IdP). This article describes the SAML instance where Google is the service provider and uses third-party IdPs.
From the Admin console Home page, go to Security, and then the SSO settings:
You must be signed in as a super administrator for this task.
Click Set up single sign-on (SSO) for SAML applications.
Or, if you don’t have that option:
Click Set up single sign-on (SSO).
- Check the Setup SSO with third party identity provider box.
- Enter the following URLs to your third-party IdP:
- Sign-in page URL: The page where users sign in to your system and to Google.
- Sign-out page URL: The page where users are redirected to after signing off.
Note: All URLs must be entered and must use HTTPS, for example https://sso.domain.com.
The issuer is the entity ID element in the SAML request to the IdP.
If a username is provided in the SAML assertion without the domain suffix, it is automatically mapped to the primary domain.
You can choose whether to include a standard or domain specific issuer. When multiple domains are using SSO with the same IdP aggregator, a specific issuer can be parsed by the IdP aggregator to identify the correct domain name for the SAML request.
If you don't check the box to enable a domain specific issuer, Google will send the standard issuer, google.com, in the SAML request. If you check the box to enable this feature, Google will send an issuer specific to your domain, google.com/a/your_domain.com, where your_domain.com is replaced with your actual primary domain name.