This article describes how to set up a SSO with third-party identity provider for Google Workspace and managed Google Accounts. (To set up Google as the identity provider, go to SAML-based Federated SSO.)
From the Admin console Home page, go to Security.
- Click Set up single sign-on (SSO) with a third party IdP
- Click Add SSO profile.
- Check the Set up SSO with third-party identity provider box.
- Enter the following URLs to your third-party IdP:
- Sign-in page URL: The page where users sign in to your system and Google Workspace.
- Sign-out page URL: The page where users are redirected to after signing off.
Note: All URLs must be entered and must use HTTPS, for example https://sso.domain.com.
About the issuer
The issuer, or entity ID, is the service provider that issued the SAML request.
You can choose whether to include a standard or domain specific issuer. When multiple domains are configured to use SSO with the same IdP, a specific issuer can be parsed by the IdP to identify the correct domain name for the SAML request.
- If you don't check Use a domain-specific issuer, Google will send the standard issuer in the SAML request:
- If you do check Use a domain-specific issuer, Google will send an issuer specific to your domain (where your_domain.com is replaced with your actual primary Google Workspace domain name):
About the Assertion Consumer Service
The Assertion Consumer Service, or ACS URL, tells the IdP where to redirect an authenticated user after sign-in. An ACS URL takes the following form:
Note: If your organization restricts access to www.google.com, please contact your organization's support team for an alternate ACS URL, and mention this article (Service provider SSO setup).
About the name ID
The name ID provided in the SAML response must contain an identifier uniquely identifying a Google Workspace user. The name ID takes one of the following forms:
- Email address (recommended)
- User name—If a username is provided without the domain suffix, it is automatically mapped to the primary domain. If the target user is on a secondary domain, then the user's email address must be provided.
Note: Aliases are not supported.