All Collections
How do I integrate SSO for Google G-Suite?
How do I integrate SSO for Google G-Suite?
Devonte Lowe avatar
Written by Devonte Lowe
Updated over a week ago

Set up your own custom SAML app

  1. Make sure you're signed in to a super administrator account. Learn more

  2. In the Admin console, go to Menu Apps > Web and mobile apps.

  3. Click Add App > Add custom SAML app.

  4. On the App Details page:

    1. Enter the name of the custom app.

    2. (Optional) Upload an app icon. The app icon appears on the Web and mobile apps list, on the app settings page, and in the app launcher. If you don't upload an icon, an icon is created using the first two letters of the app name.

  5. Click Continue.

  6. On the Google Identity Provider details page, get the setup information needed by the service provider using one of these options:

    • Download the IDP metadata.

    • Copy the SSO URL and Entity ID and download the Certificate (or SHA-256 fingerprint, if needed).

  7. (Optional) In a separate browser tab or window, sign in to your service provider and enter the information you copied in Step 4 into the appropriate SSO configuration page, then return to the Admin console.

  8. Click Continue.

  9. In the Service Provider Details window, enter:

    • ACS URL: The service provider's Assertion Consumer Service URL is responsible for receiving the SAML response and it must start with https://.

    • Entity ID: This is a globally unique name that the service provider gives you.

    • Start URL: (Optional) This is used to set the RelayState parameter in a SAML Request, which can be a URL to redirect to after authentication.

    The service provider supplies all these values.

  10. (Optional) If your service provider requires the entire SAML authentication response to be signed, check the Signed Response box. If this is unchecked (the default), only the assertion within the response is signed.

  11. The default Name ID is the primary email. Multi-value input is not supported.

    Tip: Check the setup articles in our SAML apps catalog for any Name ID mappings required for apps in the catalog. If needed, you can also create custom attributes, either in the Admin console or via Google Admin SDK APIs, and map to those. You need to create custom attributes before setting up your SAML app.

  12. Click Continue.

  13. (Optional) On the Attribute mapping page, click Add another mapping to map additional attributes.

    Note: You can define a maximum of 1500 attributes overall for apps. Because each app has one default attribute, the total number includes the default attribute plus any custom attributes you add.

    1. Under Google Directory attributes, click the Select field menu to choose a field name.

      Not all Google directory attributes are available in the drop-down list. If an attribute you want to map (for example, Manager's email) is not available, you can add that attribute as a custom attribute, which will make it available here for selection.

    2. Under App attributes, enter the corresponding attribute for your custom SAML app.

  14. (Optional) If you want to send a user’s group membership information in the SAML response, enter the group names that are relevant to this app in the Group membership field.

    1. Under Google groups, click on the Search for a group entry field.

    2. Type one or more letters of the group name.

    3. Choose the group name from the list.

    4. Add additional groups as needed (total groups cannot exceed 75).

    5. Under App attribute, enter the service provider’s corresponding groups attribute name.

    Note: Regardless of how many group names you enter, the SAML response will only include groups that a user is a member of (directly or indirectly). For more information, see About group membership mapping.

  15. Click Finish.

Turn on your SAML app

  1. Make sure you're signed in to a super administrator account. Learn more

  2. In the Admin console, go to Menu Apps > Web and mobile apps.

  3. Select your SAML app.

  4. Click User access.

  5. To turn a service on or off for everyone in your organization, click On for everyone or Off for everyone, and then click Save.

  6. (Optional) To turn service on or off for an organizational unit:

    1. At the left, select the organizational unit.

    2. To change the Service status, select On or Off.

    3. Choose one:

      • If the Service status is set to Inherited and you want to keep the updated setting, even if the parent setting changes, click Override.

      • If the Service status is set to Overridden, either click Inherit to revert to the same setting as its parent, or click Save to keep the new setting, even if the parent setting changes.
        Note: Learn more about organizational structure.

  7. To turn on a service for a set of users across or within organizational units, select an access group. For details, go to turn on a service for a group.

  8. Ensure that the email addresses your users use to sign in to the SAML app match the email addresses they use to sign in to your Google domain.

Changes can take up to 24 hours but typically happen more quickly. Learn more

Verify that SSO is working with your custom app

You can test both Identity Provider (IdP) initiated SSO, and (if your app supports it) Service Provider (SP) initiated SSO.


  1. Make sure you're signed in to a super administrator account. Learn more

  2. In the Admin console, go to Menu Apps > Web and mobile apps.

  3. Select your custom SAML app.

  4. At the top left, click Test SAML login.

    Your app should open in a separate tab. If it doesn’t, use the information in the resulting SAML app error messages to update your IdP and SP settings as needed, then retest the SAML login.


  1. Open the SSO URL for your new SAML app. You should be automatically redirected to the Google sign-in page.

  2. Enter your username and password.

    After your sign-in credentials are authenticated, you're automatically redirected back to your new SAML app.

Did this answer your question?