Sign in

Connect Google SAML

Learn how to configure a connection to Google Workspace via SAML


Each SSO Identity Provider requires specific information to create and configure a new Connection. Often, the information required to create a Connection will differ by Identity Provider.

To create a Google SAML Connection, you'll need four pieces of information: an ACS URL, an Identity Provider Entity ID, an Identity Provider SSO URL, and an X.509 Certificate.

Start by logging into your WorkOS Dashboard and selecting "Organizations" from the left hand navigation bar.

Click on the organization you'd like to configure a Google SAML connection for and select "Add Connection".

You'll be prompted to provide the Organization's Domains, and Company Name, and additionally make sure to select "Google SAML" from the Identify Provider dropdown.

WorkOS ProvidesLink

WorkOS provides the ACS URL. It's readily available in your Connection's Settings in the Developer Dashboard.

The ACS URL is the location an Identity Provider redirects its authentication response to. In Google's case, it needs to be set by the Enterprise when configuring your application in their Google admin dashboard.

Specifically, the ACS URL will need to be set as the "ACS URL" and "Entity ID" in the "Service Provider Details" step of the Google "Enable SSO for a SAML Application" wizard:


And then, you provide the Identity Provider Issuer (Entity ID), Identity Provider SSO URL, as well as the X.509 Certificate.

Normally, this information will come from your Enterprise customer's IT Management team when they set up your application's SAML 2.0 configuration in their Google admin dashboard. But, should that not be the case during your setup, here's how to obtain them.

Log inLink

Log in to the Google admin dashboard, select "Apps" from the option list, and then select "SAML Apps" from the following list.

Next, select "Setup my own custom app" from the bottom of the "Enable SSO for SAML Application" menu.

Obtain Identity Provider DetailsLink

Copy and paste the "SSO URL" and "Entity ID" values into the corresponding Connection fields in your WorkOS Developer Dashboard. Then select "Download" to obtain the X.509 Certificate, and save it to your preferred directory.

Enter Your App's InformationLink

Enter a name, description, and logo for your application, then select “Next”.

Enter Service Provider DetailsLink

Copy and the "ACS URL" from your WorkOS Developer Dashboard and paste it into the "ACS URL" and "Entity ID" fields in the Google SAML "Service Provider Details" modal. Select "Next."

Configure Attribute MappingLink

Provide the following Attribute Mappings and select “Finish”:

Google SAML does not provide the option to map a user's id attribute claim.

Upload CertificateLink

Finally, upload the X.509 Certificate in your WorkOS Connection Settings. Your Connection will then be verified and good to go!