Ready upwardly your own custom SAML awarding

Using SAML-based SSO

Single sign-on (SSO) lets users sign in to all their enterprise cloud applications using their managed Google account credentials. Google offers pre-integrated SSO with over 200 pop cloud applications.

To prepare SAML-based SSO with a custom application not in the pre-integrated catalog, follow the steps below.

Set up your own custom SAML app

  1. From the Admin console Home page, go to Apps and then Spider web and mobile apps.

  2. Click Add App and then Add custom SAML app.
  3. On the App Details page:
    1. Enter the name of the custom app.
    2. (Optional) Upload an app icon. The app icon appears on the Spider web and mobile apps list, on the app settings page, and in the app launcher. If you don't upload an icon, an icon is created using the outset ii letters of the app name.
  4. Click Continue.
  5. On theGoogle Identity Provider details page, get the setup information needed by the service provider using one of these options:
    • Download theIDP metadata.
    • Re-create theSSO URL andEntity ID and download theDocument (or SHA-256 fingerprint, if needed).
  6. (Optional) In a separate browser tab or window, sign in to your service provider and enter the information you copied in Step iv into the appropriate SSO configuration page, then return to the Admin panel.
  7. Click Proceed.
  8. In the Service Provider Details window, enter an ACS URL,Entity ID, and Start URL (if needed)for your custom app. These values are all provided by the service provider.

    Annotation: The ACS URL has to commencement with https://

  9. (Optional) Check the Signed Response box if your service provider requires the entire SAML authentication response to be signed. If this is unchecked (the default), but the exclamation within the response is signed.
  10. The defaultName ID is the primary email. Multi-value input is not supported.

    Tip: Check the setup articles in our SAML app itemize for whatsoever Name ID mappings required for apps in the catalog. If needed y'all can also create custom attributes, either in the Admin console or via Google Admin SDK APIs, and map to those. Custom attributes need to be created prior to setting upwardly your SAML app.

  11. ClickContinue.
  12. (Optional) On the Attribute mapping page, clickAdd together another mapping to map additional attributes.

    Notation: You tin define a maximum of 1500 attributes over all apps. Because each app has one default attribute, the full corporeality includes the default attribute plus any custom attributes you lot add together.

    1. Under Google Directory attributes, click the Select field menu to cull a field name.
    2. Nether App attributes, enter the respective attribute for your custom SAML app.
  13. (Optional) If yous want to send a user'due south grouping membership data in the SAML response, enter the group names that are relevant for this app in the Group membership field.

    This characteristic is currently in beta and non nevertheless available to all customers.

    1. Nether Google groups, click in the Search for a group entry field.
    2. Type one or more letters of the group proper name.
    3. Cull the grouping name from the dropdown list.
    4. Add together boosted groups as needed (total groups cannot exceed 75).
    5. Under App attribute, enter the service provider's corresponding groups attribute name.

    Note: Regardless of how many grouping names you enter, the SAML response will only include groups that a user is a fellow member of (directly or indirectly). For more than information, see About group membership mapping.

  14. Click Finish.

Turn on your SAML app

  1. From the Admin console Dwelling folio, get to Apps and then Spider web and mobile apps.

  2. Select your SAML app.
  3. ClickUser admission.

  4. To plow on or off a service for everyone in your arrangement, clickOn for everyone orOff for everyone, and and so clickSalve.

  5. (Optional) To turn a service on or off for an organizational unit:

    1. At the left, select the organizational unit.
    2. To change the Service status, selectOn orOff.
    3. Choose one:
      • If the Service status is ready toInherited and you want to keep the updated setting, fifty-fifty if the parent setting changes, click Override.
      • If the Service status is set toOverridden, either click Inherit to revert to the aforementioned setting as its parent, or clickRelieve to keep the new setting, even if the parent setting changes.
        Annotation: Learn more well-nigh organizational structure.
  6. To plough on a service for a set of users across or inside organizational units, select an admission group. For details, go to plow on a service for a group.

  7. Ensure that the electronic mail addresses your users utilise to sign in to the SAML app match the email addresses they apply to sign in to your Google domain.

Verify that SSO is working with your custom app

You can test both Identity Provider (IdP) initiated SSO, and (if your app supports information technology) Service Provider (SP) initiated SSO.

IdP-initiated

  1. From the Admin console Home page, go to Apps and then Web and mobile apps.

  2. Select your custom SAML app.
  3. At the top left, click Test SAML login.

    Your app should open in a separate tab. If it doesn't, use the data in the resulting SAML error messages to update your IdP and SP settings as needed, then retest SAML login.

SP-initiated

  1. Open the SSO URL for your new SAML app. You should be automatically redirected to the Google sign-in page.
  2. Enter your username and countersign.

    Later on your sign-in credentials are authenticated, you're automatically redirected dorsum to your new SAML app.

Configure a pre-integrated cloud application

Google offers pre-integrated SSO for over 200 cloud applications. To configure a pre-integrated application:

  1. From the Admin panel Abode page, go to Apps and then Web and mobile apps.

  2. Click Add app and then Search for apps.

  3. Enter the SAML app name in the search field.
  4. In the search results, hover over the SAML app and click Select.
  5. Follow the steps in the wizard to configure SSO for the app.

Was this helpful?

How can we improve it?