Set up SSO for your organization (2024)

Table of Contents
Before you begin Configure the SSO profile for your organization Turn off SSO for all users Create a SAML SSO profile Decide which users should use SSO Remove an assignment from the SSO profile assignment list Manage domain-specific service URLS See also Was this helpful? Set up SSO via a third-party Identity provider

You can set up SSO with Google as your service provider in a number of ways, depending on your organization’s needs. SSO profiles, which contain the settings for your IdP, give you the flexibility to apply different SSO settings to different users in your organization.

Google Workspace supports both SAML-based and OIDC-based SSO protocols:

If all your users will sign in through one IdP, using SAML:

  1. Follow the steps below in Configure an SSO profile for your organization.
  2. If you want to exclude some users from using SSO (and have them sign in directly to Google), follow the steps in Decide which users should use SSO, where you have the option to assign 'None' for SSO profile.

If you use multiple IdPs for your users, or use OIDC:

The steps you follow depend on the protocol used by your IdP (SAML or OIDC):

  • SAML
    1. Follow the steps below tocreate SSO profiles for each of your IdPs.
    2. Decide which users should use SSO.
  • OIDC
    1. Make sure you’ve configured the following prerequisites for OIDC in your organization’s Microsoft Entra ID tenant:
      • The Entra ID tenant needs to be domain verified.
      • End users must have Microsoft 365 licenses.
      • The username (primary email) of the Google Workspace admin assigning the SSO profile must match the primary email address of your Entra IDtenant admin account.
    2. Follow the steps in Decide which users should use SSO to assign the pre-configured OIDC profile to selected OUs/groups.

      Note: The Google Cloud Command Line Interface does not currently support reauthentication with OIDC.

  • If you have users within an OU (for example in a sub-OU) who don’t need SSO, you can also use assignments to turn SSO off for those users.

If your users use domain-specific service URLs to access Google services (for example, https://mail.google.com/a/example.com), you can also manage how these URLs work with SSO.

Before you begin

To set up a SAML SSO profile, you’ll need some basic configuration from your IdP’s support team or documentation:

  • Sign-in page URL This is also known as the SSO URL or SAML 2.0 Endpoint (HTTP). This is where users sign in to your IdP.
  • Sign-out page URL Where the user lands after exiting the Google app or service.
  • Certificate X.509 PEM certificate from your IdP. For more information on X.509 certificates, see SAML key and verification certificate.
  • Change password URL The page where SSO users will go to change their password (instead of changing their password with Google).

Configure the SSO profile for your organization

Use this option if all your users using SSO will use one IdP.

See Also
Get or reset an authorization code  |  Cloud Domains  |  Google CloudAdding multi-factor authentication to your Android app  |  Identity Platform Documentation  |  Google CloudSetting up OAuth 2.0 - API Console HelpService account credentials  |  IAM Documentation  |  Google Cloud

  1. Sign in to your GoogleAdminconsole.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to MenuSet up SSO for your organization (1)Set up SSO for your organization (2)Set up SSO for your organization (3)SecuritySet up SSO for your organization (4)AuthenticationSet up SSO for your organization (5)SSO with third party IdP.

  3. In Third-party SSO profile for your organization, click Add SSO profile.
  4. Check the Set up SSO with third-party identity provider box.

Fill in the following information for your IdP:

  • Enter the Sign-in page URL and Sign-out page URL for your IdP.

    Note: All URLs must be entered and must use HTTPS, for example https://sso.example.com.

  • Click Upload certificate and locate and upload the X.509 certificate supplied by your IdP. For information on generating a certificate, see SAML key and verification certificate.
  • Choose whether to use a domain-specific issuer in the SAML request from Google.

    If you have multiple domains using SSO with your IdP, use a domain-specific issuer to identify the correct domain issuing the SAML request.

    • Checked Google sends an issuer specific to your domain: google.com/a/example.com (where example.com is your primary Google Workspace domain name)
    • Unchecked Google sends the standard issuer in the SAML request: google.com
  • (Optional) To apply SSO to a set of users within specific IP address ranges, enter a network mask. For more information see Network mapping results.

    Note: you can also set up partial SSO by assigning the SSO profile to specific organizational units or groups.

  • Enter a change password URL for your IdP. Users will go to this URL (rather than the Google change password page) to reset their passwords.

    Note: If you enter a URL here, users are directed to this page even if you don’t enable SSO for your organization.

Turn off SSO for all users

If you need to turn third-party authentication off for all your users without changing the SSO profile assignment for OUs or groups, you can disable the third-party SSO profile:

  1. Uncheck Set up SSO with third-party identity provider.
  2. Click Save.

Create a SAML SSO profile

Follow these steps to create a third-party SSO profile. You can create up to 1000 profiles in your organization.

  1. Sign in to your GoogleAdminconsole.

    Sign in using your administrator account (does not end in @gmail.com).

    See Also
    Google for Developers

  2. In the Admin console, go to MenuSet up SSO for your organization (6)Set up SSO for your organization (7)Set up SSO for your organization (8)SecuritySet up SSO for your organization (9)AuthenticationSet up SSO for your organization (10)SSO with third party IdP.

  3. In Third-party SSO profiles, click Add SAML profile.
  4. Enter a name for the profile.
  5. Fill in the Sign-in page URL and other information obtained from your IdP.
  6. Enter a change password URL for your IdP. Users will go to this URL (rather than the Google change password page) to reset their passwords.
  7. Click Upload certificateto upload your certificate file.

    You can upload up to two certificates. Having two certificates allows your IdP to use either certificate when validating a user sign-in. This allows you to safely update an expiring certificate on the IdP side. For instructions see SAML verification certificates.

  8. Click Save.
  9. In the SP Details section, copy and save the Entity ID and ACS URL. You’ll need these values to configure SSO with Google in your IdP admin control panel.
  10. (Optional)If your IdP supports encrypting assertions, you can generate and share a certificate with your IdP to enable encryption. Each SAML SSO profile can have up to 2 SP certificates.
    1. Click the SP Details section to enter edit mode.
    2. Under SP certificate, click Generate certificate. (The certificate will display after you save it.)
    3. Click Save. The certificate name, expiration date, and contents are displayed.
    4. Use the buttons above a certificate to either copy the certificate contents or download as a file, then share the certificate with your IdP.
    5. (Optional) If you need to rotate a certificate, return to SP Details and click Generate another certificate, then share the new certificate with your IdP. Once you’re sure your IdP is using the new one, you can delete the original certificate.

Decide which users should use SSO

Turn SSO on for an OU or group by assigning an SSO profile and its associated IdP. Or, turn SSO off by assigning ‘None’ for the SSO profile. You can also apply a mixed SSO policy within an OU or group, for example turning SSO on for the OU as a whole, then turning it off for a sub-OU.

  1. Click Manage SSO profile assignments.
  2. If this is your first time assigning the SSO profile, click Get started. Otherwise, click Manage.
  3. On the left, select the organizational unit or group to which you’re assigning the SSO profile.
    • If the SSO profile assignment for an OU or group differs from your domain-wide profile assignment, an override warning appears when you select that OU or group.
    • You can’t assign the SSO profile on a per-user basis. The Users view let you check the setting for a specific user.
  4. Choose an SSO profile assignment for the selected OU or group:
    • To exclude the OU or group from SSO, choose None. Users in the OU or group will sign in directly with Google.
    • To assign another IdP to the OU or group, choose Another SSO profile, then select the SSO profile from the dropdown list.
  5. (SAML SSO profiles only) After selecting a SAML profile, choose a sign-in option for users who go directly to a Google service without first signing in to the SSO profile's third-party IdP. You can prompt users for their Google username, then redirect them to the IdP, or require users to enter their Google username and password.

    Note: If you choose to require users to enter their Google username and password, the Change password URL setting for this SAML SSO profile (available at SSO Profile > IDP details) is ignored. This ensures that users are able to change theirGoogle passwords as needed.

  6. Click Save.
  7. Assign SSO profiles to other OUs or groups as needed.

After you close the Manage SSO profile assignments card, you’ll see the updated assignments for OUs and groups in the Manage SSO profile assignments section.

Remove an assignment from the SSO profile assignment list

  1. Click a group or organizational unit name to open its profile assignment settings.
  2. Replace the existing assignment setting with the parent organization unit setting:
    • For organizational unit assignments—click Inherit.
    • For group assignments—click Unset.
    • For root-OU assignments, set the assignment to None (or Organization's third-party SSO profile) if you want to use the Third-party SSO profile for your organization.

Manage domain-specific service URLS

The Domain-specific service URLs setting lets you control what happens when users sign in using service URLs such as https://mail.google.com/a/example.com. There are two options:

  • Redirect users to the third-party IdP. Choose this option to always route these users to the third-party IdP that you select in the SSO profile drop-down list. This can be the SSO profile for your organization, or another third-party profile (if you’ve added one).

    Important: If you have organizational units or groups that are not using SSO, don’t choose this setting. Your non-SSO users will be automatically routed to the IdP and won’t be able to sign in.

  • Require users to enter their username on Google’s sign-in page. With this option, users entering domain-specific URLs are first sent to the Google sign-in page. If they are SSO users, they’re redirected to the IdP sign-in page.

See also

  • Signing in with SSO
  • Troubleshoot SSO
  • Multi-party approval for sensitive actions


Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companieswith which they are associated.

Was this helpful?

How can we improve it?

Set up SSO for your organization (2024)
Top Articles
CAPTCHA: Understanding the Technology Behind the 'I'm Not a Robot'​ Check and Protecting Your Browsing History
New Jersey Fees and Requirements
Frases para un bendecido domingo: llena tu día con palabras de gratitud y esperanza - Blogfrases
Celebrity Extra
Hertz Car Rental Partnership | Uber
Paula Deen Italian Cream Cake
Vocabulario A Level 2 Pp 36 40 Answers Key
Umn Biology
Www.paystubportal.com/7-11 Login
Pollen Count Central Islip
今月のSpotify Japanese Hip Hopベスト作品 -2024/08-|K.EG
George The Animal Steele Gif
Labor Gigs On Craigslist
Illinois Gun Shows 2022
Cashtapp Atm Near Me
Craigslist Southern Oregon Coast
Dragger Games For The Brain
Craigslist Battle Ground Washington
Imouto Wa Gal Kawaii - Episode 2
Kimoriiii Fansly
Craigslist Pasco Kennewick Richland Washington
When His Eyes Opened Chapter 3123
Sams Gas Price Sanford Fl
Rural King Credit Card Minimum Credit Score
Bfsfcu Truecar
Renfield Showtimes Near Marquee Cinemas - Wakefield 12
Edward Walk In Clinic Plainfield Il
W B Crumel Funeral Home Obituaries
Best Weapons For Psyker Darktide
Pillowtalk Podcast Interview Turns Into 3Some
Solemn Behavior Antonym
New Gold Lee
Frcp 47
1v1.LOL Game [Unblocked] | Play Online
Craigslist Tulsa Ok Farm And Garden
Discover Wisconsin Season 16
Oppenheimer Showtimes Near B&B Theatres Liberty Cinema 12
Www.craigslist.com Waco
Myrtle Beach Craigs List
Az Unblocked Games: Complete with ease | airSlate SignNow
CrossFit 101
RubberDucks Front Office
Server Jobs Near
Sc Pick 3 Past 30 Days Midday
Mejores páginas para ver deportes gratis y online - VidaBytes
Stephen Dilbeck, The First Hicks Baby: 5 Fast Facts You Need to Know
Wrentham Outlets Hours Sunday
Osrs Vorkath Combat Achievements
Metra Union Pacific West Schedule
Bellin Employee Portal
login.microsoftonline.com Reviews | scam or legit check
Latest Posts
What is the importance of bill of lading
Best Emergency Loans for Bad Credit for July 2024
Article information

Author: Twana Towne Ret

Last Updated:

Views: 6246

Rating: 4.3 / 5 (44 voted)

Reviews: 83% of readers found this page helpful

Author information

Name: Twana Towne Ret

Birthday: 1994-03-19

Address: Apt. 990 97439 Corwin Motorway, Port Eliseoburgh, NM 99144-2618

Phone: +5958753152963

Job: National Specialist

Hobby: Kayaking, Photography, Skydiving, Embroidery, Leather crafting, Orienteering, Cooking

Introduction: My name is Twana Towne Ret, I am a famous, talented, joyous, perfect, powerful, inquisitive, lovely person who loves writing and wants to share my knowledge and understanding with you.