Service provider SSO set up

This article describes how to set up a SSO with third-party identity provider for G Suite and managed Google Accounts. (To set up Google as the identity provider, go to SAML-based Federated SSO.)

Set up SSO

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Security.
  3. Click Set up single sign-on (SSO) with a third party IdP
  4. Check the Set up SSO with third-party identity provider box.
  5. Enter the following URLs to your third-party IdP:
    • Sign-in page URL: The page where users sign in to your system and G Suite.
    • Sign-out page URL: The page where users are redirected to after signing off.

Note: All URLs must be entered and must use HTTPS, for example https://sso.domain.com.

The issuer is the entity ID element in the SAML request to the IdP.

If a username is provided in the SAML assertion without the domain suffix, it is automatically mapped to the primary domain.

You can choose whether to include a standard or domain specific issuer. When multiple domains are using SSO with the same IdP aggregator, a specific issuer can be parsed by the IdP aggregator to identify the correct domain name for the SAML request.

If you don't check the box to Use a domain specific issuer, Google will send the standard issuer, google.com, in the SAML request. If you check the box to enable this feature, Google will send an issuer specific to your domain, google.com/a/your_domain.com, where your_domain.com is replaced with your actual primary domain name.

Was this helpful?
How can we improve it?