As of October 2015, Google Apps can now act as a SAML Identity Provider. This is great news for organizations that haven’t implemented SAML yet, because you can set up basic single sign-on authentication without introducing a third party service such as Okta or OneLogin.
This guide will show you the basics of setting up a new SAML app for your Google Apps domain. The walkthrough below shows the process of setting up Google as the identity provider, and your service provider (i.e. the app you want people to sign into) will have its own instructions. Looking for the Robin-specific version of this guide?
Where to find SAML Apps in Google
As an administrator on your Google account, go to the admin portal and click through to Apps > SAML Apps.
You will see a list of any existing SAML apps. Click the big plus sign in the bottom right to add a new one.
Add a new service app
Click “Setup my own custom app” near the bottom of the window.
Google IDP Information
You’ll then see your specific Identity Provider information. You will need the info in Option 1 to configure your service provider in a moment. Open a new browser window so you can keep both handy.
Basic App Information
Add some descriptive information about the new SAML app. This is used to identify the app for everyone on your Google Apps domain.
In the final step, you will need to map metadata attributes to your Google Apps users. They are case sensitive, and tell the service provider which fields to use for user data. Example:
- Email: Basic Information > Primary Email
- FirstName: Basic Information > First Name
- LastName: Basic Information > Last Name
Adding your IDP to a service app
Now that you’ve added your service provider to your identity provider, you’ll want to complete the connection by configuring your service provider directly. Most service providers want to know your Entity ID and SSO URL, but your service provider’s documentation will have more information.
Enable the app for everyone
Once the app is configured, it will not work until you turn it on for your domain. You can turn in on for everyone in your organization or for specific organizations.
When turned on, your new app will show up in everyone’s app dropdown along with existing SAML apps. You may need to click “More” first to see the complete list of available apps. Clicking on this link starts an IDP-initiated workflow, and will open your app with the current user authenticated.