SSO: Google

This article describes how to configure Google as your workplace's single sign-on identity provider (IdP). This process involves making modifications to your Google environment as well as your digital workplace. Once complete, users of your digital workplace will be able to sign in to it using their Google credentials.

To follow this process, you must be able to add applications to your Google environment and be a workplace administrator in your digital workplace.

Sections in this article:

Configuring a Google single sign-on application

Follow these steps to configure a SAML app in your Google environment:

  1. Select Google Apps followed by Admin.
    The Admin app.
  2. Select Apps.
    The Apps icon.
  3. Select the SAML apps.
    The SAML apps card.
  4. Select Add a service/App to your domain.The add a service button.
  5. Select Setup My Own Custom App.
    The Setup my own custom app option.

  6. Copy the following idP information and then select Next:

    • SSO URL
    • Certificate
      The Google IdP information window.
  7. Enter an Application Name and then select Next.
    The Basic information for your Custom App page.
  8. Configure the service provider details and then select Next:
    • ACS URL: Enter your digital workplace URL with /saml.digest appended to it.
    • Entity ID: Enter your digital workplace URL with /saml.digest appended to it.
    • Start URL: Enter your digital workplace URL.
    • Signed Response: Don't select.
    • Name ID: Set to Primary Email.
      The Service Provider Detail page.
  9. Select Add New Mapping.
    The Attribute Mapping page.
  10. Create the following mappings and then select Finish:
    • FName - Basic Information - First Name
    • LName - Basic Information - Last Name
    • Email - Basic Information - Primary Email
      Configured attribute mappings.
  11. Select the vertical ellipses associated with your new SAML App and turn it oTurning the SAML App on for a set of users

Configuring your digital workplace's single sign-on

  1. Go to your digital workplace and sign in.
  2. Select  Control Panel.
  3. Under Membership, select Sign In Settings.
  4. Select Configure SAML Authentication.
  5. Configure the settings as described in the Configuration settings table below.
  6. Select Save.
Setting Description
Connection Name Enter a name for this connection. If you configure Sign in Settings to Use SAML button on Sign in screen, this name will be displayed on the button.
IdP Login URL

Copy and paste the SSO URL URL from the Google set-up instructions into this field.

IdP Logout URL Leave this field blank; Google does not support SLO.
Logout Response and Request HTTP Type Ignore this option; Google does not support SLO.
Logout Final Redirect URL Enter the URL of the location you want to send users to when they log out. If left blank, users will be redirected to your digital workplace's homepage. 
Binding Type

Select POST.

Public Certificate

Copy and paste the Certificate from the Google set-up instructions into this field. You will need to open the certificate file using a text editor.

Identity Provider

Select Other.

Identifier Type

Select Email Address.

Identifier Path

Enter /samlp:Response/saml:Assertion/saml:Subject/saml:NameID.

Session Index Path

Enter /samlp:Response/saml:Assertion/saml:AuthnStatement.

Email Path

Enter /samlp:Response/saml:Assertion/saml:AttributeStatement/saml:Attribute[@Name="Email"]/saml:AttributeValue.

First Name Path

Enter /samlp:Response/saml:Assertion/saml:AttributeStatement/saml:Attribute[@Name="FName"]/saml:AttributeValue.

Last Name Path

Enter /samlp:Response/saml:Assertion/saml:AttributeStatement/saml:Attribute[@Name="LName"]/saml:AttributeValue.

Drift Time

Enter 5.

User creation on Sign in

Select how your digital workplace handles users who attempt to sign in when they have valid IdP credentials but are not members of the digital workplace.

Options include:

  • Create a new user in your site when they sign in (Users will be added to manage members on sign in)
  • Do not create new users when they sign in (Users not in manage members will be denied access)

When creating new users in your digital workplace this way, they will be created with the following details:

  • First Name (from First Name Path)
  • Last Name (from Last Name Path)
  • Email Address (from Email Path) 
  • CustomIdentifier (from Identifier Path if the Identifier Type is Custom Identifier) 
  • Membership to the All Members group.

If enabled, this option does not provide any additional user syncing functionality (e.g., additional fields, group membership, deprovisioning, etc.).

If your digital workplace uses the ILST to manage members, select Do not create new users when they sign in to avoid the creation of duplicate user accounts.

Sign in Settings

Select how users sign in to your workplace.

Options include:

  • Use SAML button on "Sign in" screen
  • Redirect all users to IdP

For setting up and testing the connection, it can be convenient to temporarily select Use SAML button on "Sign in" screen and then only switch to Redirect all users to IdP once you have confirmed that single sign-in is working correctly.

Configuration settings