To set up SSO using the SAML instance where Google is the service provider (SP), you need to generate a set of public and private keys and an X.509 certificate that contains the public key. The public keys and certificates must be generated with either the RSA or DSA algorithm and registered with Google. To register, you upload the key and certificate via your Google Admin console.
The way you generate keys and certificates often depends on your development platform and programming-language preference. X509 certificates can be generated using the
openssl command. To create public and private key pairs, you can use OpenSSL, the Certificate Creation tool and the Pvk2pfx tool in .NET, Keytool in Java, or Java Cryptography Architecture. For details, see Generate Keys and Certificates for SSO.
- Upload your verification certificate.
The certificate file must be an X.509-formatted certificate with an embedded public key.
The certificate file must contain the public key so that Google can verify sign-in requests.
The public key must be generated with the DSA or RSA algorithms. This key is used to verify the SAML response you send to Google—that is, did the SSO assertion really come from you? It also makes sure the SSO assertion wasn't modified during transmission.
It is important to match the embedded public key in the X.509 certificate with the private key you use to sign the SAML response.
Only Chrome confirms that your certificate has been uploaded. Other browsers don't.
- Optionally, check the Use a domain-specific issuer box to enable a domain-specific issuer. If you enable this feature, Google sends an issuer specific to your domain, google.com/a/your_domain.com, where your_domain.com is replaced with your actual domain name.
If you don't check the box to enable a domain-specific issuer when you set up SSO, Google sends the standard issuer, google.com, in the SAML request.
- Click Save Changes.
For more information, see Partner-operated SAML Single Sign-On (SSO) Service.