Some companies will use Google Identity for SAML single sign-on. Please note that SAML single sign-on via Google Identity differs from “Sign in with Google,” which uses the OAuth protocol. If you want to offer your customers “Sign in with Google” functionality, you may wish to consult Google’s documentation or use another authentication vendor.

Before proceeding, please confirm that you indeed need SAML single sign-on via Google.

As a first step, you’ll need a Google Workspace administrator to create an App.

1

Creating a custom SAML app in Google Identity

Starting from the Google Workspace admin page, i.e. admin.google.com, navigate to Apps > Web and mobile apps in the left navigation bar. This link will send you to a new page.

Selecting Apps > Web and mobile apps in the Google Workspace admin console

You’ll land on a page with the header Apps > Web and mobile apps. Right under the header, you’ll see a few tabs. Click Add app > Add custom SAML app. This link will send you to another new page.

Navigating to Add app > Add custom SAML app

You’ll see a page with a large blue header reading Add custom SAML app. This page requires you to assign the application an App name. The App name matters solely for display purposes, so you’ll typically want the App name to match your product’s name.

After typing the App name, hit the blue CONTINUE button in the lower right.

Naming the application after your product
2

Configure SAML Connection | Enter Google details in SSOReady

Clicking CONTINUE in the previous step will direct you to a new page, again with the same blue header.

The previous page enumerated a few steps directly below its header. It’s totally normal for those to have disappeared. You’re likely still on the right track. Scroll up on this page to display the steps again.

Here, you’ll find a few important details about the new Google Identity app that SSOReady needs to know about. Copy each of these from Google into SSOReady.

First, scroll down to the field marked SSO URL. SSOReady calls this the Redirect URL on the Identity Provider Configuration card for your SAML Connection. Copy this URL from Google and paste it into the SSOReady web application.

Copying Google's 'SSO URL' and pasting into SSOReady as the 'Redirect URL'

From here, direct you attention to Google’s Entity ID field. It sits directly under the SSO URL from the previous step.

Copy this Entity ID URL and paste it into SSOReady as the IDP Entity ID. You’ll find the input field for the IDP Entity ID adjacent to the Redirect URL input field from the previous step.

Copying Google's 'Entity ID' and pasting into SSOReady as the 'IDP Entity ID'

You need just one more detail from Google.

Navigate to the next field marked Certificate. Then, toward the top right corner of this Certificate field, you’ll see a download icon. Press the download icon; doing so downloads a .pem file. Its name will match the header you see here, something starting with Google and ending in SAML2_0.

Upload this .pem file to SSOReady as the Certificate in SSOReady’s web application.

Downloading a .pem certificate from Google and uploading it to SSOReady

Once you’re done with this step, SSOReady has all the information it needs. Now you simply need to supply Google with the relevant information about SSOReady.

A blue CONTINUE button sits toward the bottom right of the page. It may not be visible until you scroll down. Press this CONTINUE button.

3

Configure SAML Connection | Enter SSOReady details in Google

Once SSOReady knows about the Google app you’ve created, you need to tell Google about SSOReady. Google needs two pieces of information.

First, Google asks for an ACS URL. SSOReady calls this an Assertion Consumer Service (ACS) URL. You’ll find it on the Service Provider Configuration card for your SAML Connection. It ends in /acs.

Copy this Assertion Consumer Service (ACS) URL and paste it into Google’s ACS URL input field.

SSOReady's 'Assertion Consumer Service (ACS) URL' equates to Google's 'ACS URL'

You’ll follow a similar pattern for an additional set of fields.

Directly below its ACS URL field, Google asks for an Entity ID. SSOReady calls this the SP Entity ID. You’ll find this URL right next to the Assertion Consumer Service (ACS) URL in SSOReady’s web application. As it turns out, the SP Entity ID looks exactly like the Assertion Consumer Service (ACS) URL, only it lacks the /acs ending.

Copy the SP Entity ID from SSOReady and enter it as the Entity ID in Google.

SSOReady's 'SP Entity ID' equates to Google's 'Entity ID'

Click the blue CONTINUE button in the lower right corner.

Press 'CONTINUE' to complete the SAML app configuration

Once you’ve completed this step, we’re done! You now have your product hooked up to your customer’s Google Identity instance.

Please note that your users can not successfully log in until your customer’s Google Identity administrator assigns them to the application. This, however, requires no input from you.

Built with