Implementing Google Workspace Sso Configuration

Core Concepts

SAML 2.0 SSO Flow

User navigates to Google Workspace app (Gmail, Drive, etc.)
        │
        ├── Google checks: Is SSO configured for this domain?
        │
        ├── YES → Redirect user to IdP Sign-In Page URL
        │          (SAML AuthnRequest sent via browser redirect)
        │
        ├── User authenticates at IdP (credentials + MFA)
        │
        ├── IdP generates SAML Response with signed assertion
        │
        ├── Browser POSTs SAML Response to Google ACS URL:
        │   https://www.google.com/a/{domain}/acs
        │
        ├── Google validates SAML signature against uploaded certificate
        │
        └── User is granted access to Google Workspace

Key SAML Parameters

Workflow

Step 1: Prepare the Identity Provider

For Okta:

1. Navigate to Applications > Add Application > Search "Google Workspace"
2. Configure the Google Workspace app with your domain
3. Assign users/groups to the application
4. Download the IdP metadata or note: SSO URL, Entity ID, Certificate

For Azure AD (Microsoft Entra ID):

1. Navigate to Enterprise Applications > New Application > Google Cloud/Workspace
2. Configure Single sign-on > SAML
3. Set Basic SAML Configuration:
   • Identifier (Entity ID): google.com
   • Reply URL (ACS): https://www.google.com/a/{your-domain}/acs
   • Sign on URL: https://www.google.com/a/{your-domain}/ServiceLogin
4. Download Federation Metadata XML or Certificate (Base64)

For ADFS:

1. Add Relying Party Trust using federation metadata
2. Configure claim rules to pass NameID as email address
3. Export the token-signing certificate

Step 2: Configure Google Workspace SSO

1. Sign in to Google Admin Console (admin.google.com) as Super Admin
2. Navigate to Security > Authentication > SSO with third-party IdP
3. Click "Add SSO profile" or configure the default profile

Third-Party SSO Profile Settings:

Step 3: Assign SSO Profile to Users

SSO profiles can be applied at different scopes:

Organization-wide (all users)
    │
    ├── Org Unit level (specific departments)
    │   ├── Engineering OU → SSO via Okta
    │   ├── Marketing OU → SSO via Azure AD
    │   └── Contractors OU → SSO via specific IdP
    │
    └── Group level (specific security groups)
        └── VPN Users → SSO with additional MFA

1. Navigate to Security > Authentication > SSO with third-party IdP
2. Select the SSO profile to assign
3. Choose organizational units or groups
4. Save and wait for propagation (up to 24 hours, typically minutes)

Step 4: Configure Network Masks (Optional)

Network masks control when SSO is enforced based on the user's IP:

• If the user's IP matches a network mask, they use Google's sign-in page
• If the user's IP does NOT match, they are redirected to the IdP

This is useful for allowing direct Google login from corporate network while enforcing SSO for external access.

Step 5: Test SSO

1. Open an incognito browser window
2. Navigate to https://mail.google.com/a/{your-domain}
3. Verify redirect to IdP sign-in page
4. Authenticate at the IdP
5. Verify successful redirect back to Google Workspace
6. Test sign-out flow redirects to IdP logout page
7. Test with user not assigned in IdP (should fail)

Validation Checklist

• IdP SAML application configured with correct ACS URL and Entity ID
• IdP signing certificate uploaded to Google Admin Console
• SSO profile assigned to target organizational units/groups
• SAML assertion includes correct NameID (email format)
• MFA enforced at IdP for all Google Workspace users
• Sign-out URL configured to terminate IdP session
• Network masks configured if internal/external access differs
• Break-glass Super Admin accounts bypass SSO (use Google auth)
• SSO tested with multiple user types (admin, standard, contractor)
• SAML response signature validated successfully
• Error handling tested (expired cert, invalid user, clock skew)

References

• Google Workspace SSO Configuration Guide
• Set Up Custom SAML App - Google
• Okta Google Workspace SAML Guide
• SAML 2.0 Technical Overview - OASIS