Google Workspace SSO

Updated 1 week ago by admin

This article applies to:

  • Gmail
  • Google Drive and Docs
  • Google Calendar
  • Google Sites
  • Google Groups for Business

For this guide you will need:

  • Your Google Workspace primary domain
  • Usernames in your identity provider will need to match usernames in Google Workspace e.g. if your IdP has a user bob@acmetest.com then Google Workspace will also need the same user to exist. This may mean you have to add a secondary domain to Google Workspace.
  1. Ensure that you have a Google Workspace account that supports Single Sign on using a Third Party IdP
  2. Ensure that you have an Identity Provider configured
  3. Navigate to App Launcher -> Add Apps
  4. Select the Google App tile for the app you are adding, such as Gmail. If you do not see a tile that matches the desired Google App, select the Google App (Generic) tile and change the Application Name to the name of the app you are setting up
  1. Select an existing category or create a new category by using the Manage option. The app tile will appear in this category for IDaaS users.
  2. Within Google Admin, navigate to Account Settings -> Custom URLs and make a note of the URL for the app you are adding i.e. Gmail. Note that you may have a custom domain set up rather than the default Google URL, which usually takes the format <app>.google.com/a/<custom domain>
    Paste the link for the app into the Application URL field
  3. Select the preferred Identity Provider for this app
  4. Click Next
  5. Click the Download Certificate button and save the file on your computer
  6. Log in to Google Admin as an administrator and search for Single sign-on and select the Set up single sign-on (SSO) with a third party IdP menu option
  7. Click the pencil icon to the right of SSO profile for your organization to edit the settings
  8. Tick Set up SSO with third-party identity provider
  9. The next step is to set the Sign-in Page URL for Google to use
Remember, in this case, the IDaaS product is acting as a broker between the app and your configured Identity Provider. Therefore, the IDaaS service is the IdP.

This URL will take the format https://<your-vanity-subdomain>.beyondsso.com/idp/saml/sso and can be found by clicking the relevant Identity Provider tile in Products -> IDaaS -> Identity Providers

  1. Click the Replace certificate button and upload the certificate file from Step 9 and tick Use a domain specific issuer
  2. At this point, the Google side is configured. Unfortunately, at this moment in time, Google does not provide the option to download metadata for use with the IdP. Copy the following template into your clipboard, taking note that the CUSTOM_DOMAIN tag need to be updated in both sections before use
Important: if you plan to add multiple Google app tiles, the first app that uses the entityID google.com/a/<CUSTOM_DOMAIN> will determine the Identity Provider that all subsequent Google app tiles will use, if more are added at the end of this guide. Put simply, it is not possible to split Google Apps access across multiple Identity Providers.
<EntityDescriptor entityID="google.com/a/<CUSTOM_DOMAIN>" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
<AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://www.google.com/a/<CUSTOM_DOMAIN>/acs" />
</SPSSODescriptor>
</EntityDescriptor>
  1. Return to the Add Application wizard and click Next. When prompted, click Paste Metadata XML and then paste in the XML from the previous step
  2. Before clicking OK, change <CUSTOM_DOMAIN> to the name of your Google Workspace primary domain e.g. acmetest.com, in both parts of the XML
  3. Click OK and then Next to finalise the configuration
  4. Test the authentication by clicking the newly created Gmail tile and when prompted sign in with your identity provider credentials

Additional Google App tiles

Once a user has authenticated with the primary Google app that has been configured, they can switch between Google Apps using the selector menu.

However, it is also possible to add additional Google app tiles to the Applications list if required.

To add another app, such as Google Drive, repeat the same steps 3-8 and steps 15-17 taking care to use a unique EntityID in step 15 that matches the Application URL e.g. entityID="<APP>.google.com/a/<CUSTOM_DOMAIN>" . In the example of Google Drive the entityID would become entityID="drive.google.com/a/<CUSTOM_DOMAIN>". Failing to do this will generate an error that an application already exists with the given metadata.

Further Reading


How did we do?