SAML with Google Identity

As a first step, you’ll need a Google Workspace administrator to create an App.

Starting from the Google Workspace admin page, i.e. admin.google.com, navigate to Apps > Web and mobile apps in the left navigation bar. This link will send you to a new page.

You’ll land on a page with the header Apps > Web and mobile apps. Right under the header, you’ll see a few tabs. Click Add app > Add custom SAML app. This link will send you to another new page.

You’ll see a page with a large blue header reading Add custom SAML app. This page requires you to assign the application an App name. The App name matters solely for display purposes, so you’ll typically want the App name to match your product’s name.

After typing the App name, hit the blue CONTINUE button in the lower right.

Clicking CONTINUE in the previous step will direct you to a new page, again with the same blue header.

Here, you’ll find a few important details about the new Google Identity app that SSO Setup needs to know about. Copy each of these from Google into SSO Setup.

First, scroll down to the field marked SSO URL. SSO Setup calls this the Redirect URL on the Identity Provider Configuration card for your SAML Connection. Copy this URL from Google and paste it into the SSO Setup web application.

From here, direct you attention to Google’s Entity ID field. It sits directly under the SSO URL from the previous step.

Copy this Entity ID URL and paste it into SSO Setup as the IDP Entity ID. You’ll find the input field for the IDP Entity ID adjacent to the Redirect URL input field from the previous step.

You need just one more detail from Google.

Navigate to the next field marked Certificate. Then, toward the top right corner of this Certificate field, you’ll see a download icon. Press the download icon; doing so downloads a .pem file. Its name will match the header you see here, something starting with Google and ending in SAML2_0.

Upload this .pem file to SSO Setup as the Certificate in SSO Setup’s web application.

Once you’re done with this step, SSO Setup has all the information it needs. Now you simply need to supply Google with the relevant information about SSO Setup.

A blue CONTINUE button sits toward the bottom right of the page. It may not be visible until you scroll down. Press this CONTINUE button.

Once SSO Setup knows about the Google app you’ve created, you need to tell Google about SSO Setup. Google needs two pieces of information.

First, Google asks for an ACS URL. SSO Setup calls this an Assertion Consumer Service (ACS) URL. You’ll find it on the Service Provider Configuration card for your SAML Connection. It ends in /acs.

Copy this Assertion Consumer Service (ACS) URL and paste it into Google’s ACS URL input field.

You’ll follow a similar pattern for an additional set of fields.

Directly below its ACS URL field, Google asks for an Entity ID. SSO Setup calls this the SP Entity ID. You’ll find this URL right next to the Assertion Consumer Service (ACS) URL in SSO Setup’s web application. As it turns out, the SP Entity ID looks exactly like the Assertion Consumer Service (ACS) URL, only it lacks the /acs ending.

Copy the SP Entity ID from SSO Setup and enter it as the Entity ID in Google.

Click the blue CONTINUE button in the lower right corner.

Once you’ve completed this step, we’re done! You now have your product hooked up to your Google Identity instance.

Please note that your users can not successfully log in until your Google Identity administrator assigns them to the application.