Set up SSO via a third party Identity provider

Service provider SSO setup

This article describes how to set up a SSO with third-party identity provider for Google Workspace and managed Google Accounts. (To set up Google as the identity provider, go to SAML-based Federated SSO.)

Set up SSO

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Security.
  3. Click Set up single sign-on (SSO) with a third party IdP
  4. Check the Set up SSO with third-party identity provider box.
  5. Enter the following URLs to your third-party IdP:
    • Sign-in page URL: The page where users sign in to your system and Google Workspace.
    • Sign-out page URL: The page where users are redirected to after signing off.

Note: All URLs must be entered and must use HTTPS, for example https://sso.domain.com.

About the issuer

The issuer, or entity ID, is the service provider that issued the SAML request.

You can choose whether to include a standard or domain specific issuer. When multiple domains are configured to use SSO with the same IdP, a specific issuer can be parsed by the IdP to identify the correct domain name for the SAML request.

Note:

  • If you don't check Use a domain-specific issuer, Google will send the standard issuer in the SAML request:

    google.com
     
  • If you do check Use a domain-specific issuer, Google will send an issuer specific to your domain (where your_domain.com is replaced with your actual primary Google Workspace domain name):

    google.com/a/your_domain.com

About the Assertion Consumer Service

The Assertion Consumer Service, or ACS URL, tells the IdP where to redirect an authenticated user after sign-in. An ACS URL takes the following form:

https://www.google.com/a/domain.com/acs

Note: If your organization restricts access to www.google.com, please contact your organization's support team for an alternate ACS URL, and mention this article (Service provider SSO setup).

About the name ID

The name ID provided in the SAML response must contain an identifier uniquely identifying a Google Workspace user. The name ID takes one of the following forms:

  • Email address (recommended)
  • User name—If a username is provided without the domain suffix, it is automatically mapped to the primary domain. If the target user is on a secondary domain, then the user's email address must be provided.

Note: Aliases are not supported.

Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue