Configure SAML IdP using Google App

Configuring Google App as a SAML 2.0 Provider - Using SAML-based SSO, Single sign-on (SSO) lets users sign in to all their enterprise (complete edition) cloud applications using their managed Google account credentials. You can use both Identity Provider (IdP) initiated SSO, and Service Provider (SP) initiated SSO.

Single Sign On

Prerequisites

Configure SAML IdP using Google App

Settings Import and Validation

 

Configure SAML IdP using Google App 

Set up your own custom SAML application

  1. Sign in to your admin.google.com. Sign in using your administrator account. Note: Do not use an account ending with @gmail.com example - bricker.dl.net@gmail.com.

Note: The email returned by GoogleApp must match the email of the person configuring the SAML Single Sign-on during validation. The email returned by GoogleApp must match the email of every user during registration and login as well. The email is used to find the Wasp user account during the SAML login. If for any reason, like Active Directory synchronization, the email returned by GoogleApp for a user changes that user's email in wasp must also be changed to match or the user will need to accept a new invitation and registration.

  1. From the Admin Console home page, go to Apps > SAML apps.
  2. Click on Add (the plus icon).
  3. Click on Set up my own custom app.

  1. Get the setup information needed by the service provider using one of these methods:
  1. Click Next.

 

  1. In the basic information window, add an application name and description.
  2. (Optional) Upload a PNG or GIF file to serve as an icon for your custom app. The icon image should be 256 pixels square.
  3. Click Next.

  1. In the Service Provider Details window, enter the SSO URL value you copied from the Settings into the ACS URL. Note: The ACS URL has to start with https://
  1. The default name ID is the primary email. Multi-value input is not supported. These defaults are fine.

Tip: Check the setup articles in our SAML app catalog for any Name ID mappings required for apps in the catalog. If you need to use Groups for added security, you can add Group as a custom attribute, either in the Admin Console or via Google Admin SDK APIs, and map to those. Custom attributes need to be created prior to setting up your SAML app. 

  1. Click Next.

  1. (Optional) Click Add New Mapping and enter a new name for the attribute you want to map. In the dropdown list, select the category and user attributes to map the attribute from the Google profile.

Note: You cannot use employee ID or employee type for attribute mapping.

Group, could be used, for example, for added security. If you want to map "Group" for this additional security feature, map group to the SAML standard field memberOf:

  1. Click Finish.

Turn on your SAML app

  1. Sign in to your Google Admin Console. Note: Sign in using an administrator account, not your current account.
  2. From the Admin Console home page, go to Apps > SAML apps.
  3. Select your SAML app.
  4. Click User Access.

  1. To turn on or off service for everyone in your organization, click On for everyone or Off for everyone, and then click Save.

  1. To turn on or off service only for users in an organizational unit:

Learn more about organizational structure.

  1. To turn on a service for a set of users across or within organizational units, select an access group. For details, go to turn on a service for a group.
  2. Ensure that the email addresses your users used to sign in to the SAML app match the email addresses they used to sign in to your Google domain.

Changes typically take effect in minutes but can take up to 24 hours. For details, see How changes propagate to Google services.

 


FAQs - Refer to Knowledgebase - Knowledgebase > FAQs.

Note: Use of the resources described here requires internet access.