SAML Apps in Google Apps

Guides

How to set up SAML SSO with Google Apps

As of October 2015, Google Apps can now act as a SAML Identity Provider. This is great news for organizations that haven’t implemented SAML yet, because you can set up basic single sign-on authentication without introducing a third party service such as Okta or OneLogin.

This guide will show you the basics of setting up a new SAML app for your Google Apps domain. The walkthrough below shows the process of setting up Google as the identity provider, and your service provider (i.e. the app you want people to sign into) will have its own instructions.  Looking for the Robin-specific version of this guide?

Where to find SAML Apps in Google

As an administrator on your Google account, go to the admin portal and click through to Apps > SAML Apps.

SAML App setup in Google Apps

You will see a list of any existing SAML apps. Click the big plus sign in the bottom right to add a new one.

Add a new service app

Click “Setup my own custom app” near the bottom of the window.

SAML app list

Google IDP Information

IDP info for Google SAML

You’ll then see your specific Identity Provider information. You will need the info in Option 1 to configure your service provider in a moment. Open a new browser window so you can keep both handy.

Basic App Information

Add some descriptive information about the new SAML app. This is used to identify the app for everyone on your Google Apps domain.

Basic app information for Google SAML

Attribute Mapping

In the final step, you will need to map metadata attributes to your Google Apps users. They are case sensitive, and tell the service provider which fields to use for user data. Example:

  • Email: Basic Information > Primary Email
  • FirstName: Basic Information > First Name
  • LastName: Basic Information > Last Name

SAML Attribute map

Adding your IDP to a service app

Now that you’ve added your service provider to your identity provider, you’ll want to complete the connection by configuring your service provider directly. Most service providers want to know your Entity ID and SSO URL, but your service provider’s documentation will have more information.

Enable the app for everyone

Once the app is configured, it will not work until you turn it on for your domain. You can turn in on for everyone in your organization or for specific organizations.

Turn on SAML app in Google

When turned on, your new app will show up in everyone’s app dropdown along with existing SAML apps. You may need to click “More” first to see the complete list of available apps. Clicking on this link starts an IDP-initiated workflow, and will open your app with the current user authenticated.

SAML app in Google dropdown

Sample Workflow

Sample SAML Authentication Workflow