How to Configure SAML 2.0 for Google Workspace

Read this before you enable SAML

Enabling SAML affects all users who use this application, which means that users won't be able to sign in through their regular log in page. They'll only be able to access the app through the Okta service. However, Google Workspace users assigned to the Super Administrator role can bypass SSO and log in directly to https://admin.google.com. We highly recommend creating a Google Workspace Super Administrator account to allow for Google Workspace administrator access in the event SAML is no longer working properly.

Supported Features
Configuration Steps
Notes

Supported Features

The Okta/Google Workspace SAML integration currently supports the following features:

SP-initiated SSO
- Root organization SSO profile (RPID unset)
- Single multi-IdP SSO profile (RPID set)
IdP-initiated SSO
- Root organization SSO profile (RPID unset)
- Single multi-IdP SSO profile (RPID set)

For more information on the listed features, visit the Okta Glossary.

RPID value and SSO

In your Okta org's Google Workspace instance, the value of the RPID field on the Sign On tab determines which SSO profile is used.

If no value is specified for RPID, the root organization SSO profile is used.

If a value is specified for RPID, then a request for a multiple IdP profile is made using that value.

Configuration Steps

Go to Single Sign-on Settings in Google Workspace

Sign in to Google Workspace with the same administrator username and password used for your Google Workspace user management API credentials in Okta.

Click the Security icon:

NOTE: If the Security icon is not visible, click More Controls at the bottom of the panel and drag the Security icon into the Admin Console dashboard.
On the Security menu, select Set up single sign-on (SSO) with a third party IdP:

Complete the Single Sign-on Screen

Follow the instructions for either:

Root organization SSO profile (RPID unset)
Multi-IdP SSO profile (RPID set)

SSO profile values

Copy the following values as required when you configure an SSO profile in Google Workspace.

IDP entity ID:
Sign into the Okta Admin Dashboard to generate this variable.
Sign-in page URL:

Sign into the Okta Admin dashboard to generate this value.
Sign-out page URL:

Sign into the Okta Admin dashboard to generate this value.
Verification certificate: Download and save the following file, then locate and upload it.

Sign into the Okta Admin Dashboard to generate this variable.
Change password URL:

Sign into the Okta Admin dashboard to generate this value.

Root organization SSO profile (RPID unset)

Go to Third-party SSO profile for your organization and check Setup SSO with third party identity provider, and then enter the following:
- Sign-in page URL: Copy and paste the value from SSO profile values.
- Sign-out page URL: Copy and paste the value from SSO profile values.
- Verification certificate: Copy and paste the value from SSO profile values.
- Check Use a domain-specific issuer.
- (Optional) Use the Network masks field to allow only a targeted subset of users to access your organization's Okta site. This is useful for rolling out application access in controlled phases.
- Change password URL: Copy and paste the value from SSO profile values.
- Click SAVE.
Done!

Your users are ready to single sign-on to Google Workspace!

Multi-IdP SSO profile (RPID set)

Go to Third-party SSO profiles, click Add SAML profile and then enter the following:
- Enter a valid SSO profile name.
- IDP entity ID: Copy and paste the value from SSO profile values.
- Sign-in page URL:Copy and paste the value from SSO profile values.
- Sign-out page URL: Copy and paste the value from SSO profile values.
- Change password URL: Copy and paste the value from SSO profile values.
- Verification certificate: Copy and paste the value from SSO profile values.
- Click SAVE.
- SP Details section: Copy the rpid query parameter value and set it to the value of the RPID field on the Sign On of the app instance in Okta.
  
  In the example below, the rpid value is 03gat3kx0uxkf0g
Done!

Your users are ready to single sign-on to Google Workspace!

Notes

Verify that you entered the correct value in the Your Google Workspace company domain field under the General tab in Okta. Entering the wrong value will prevent you from using SAML to authenticate to Google Workspace.
When Super Administrators try to sign in to accounts.google.com, they'll be prompted for their full Google Workspace email address & password. Google doesn't redirect Super Administrators to the SSO Server.
A backdoor URL is always enabled for administrator accounts to login using a username and password. It can be accessed at https://www.google.com/a/[DOMAIN].
Ensure that you assigned your previously created multiple-IdP SAML profile to an Org Unit or a Group by going to Manage SSO profile assignments and clicking Manage. Only users from that Org Unit or Group can be used with the Google Workspace app instance in Okta that has an RPID value set on the Sign On tab. Even if you import all organization users from Google to your app instance in Okta, only assign users from the Org Unit or Group used with the previously created SSO profile assignment.
Make sure that Domain-specific Service URLs are set to Require users to enter their username on Google's sign-in page first.
You can read about additional user management features in the online documentation.

SP-initiated SSO

Go to https://www.google.com/a/[DOMAIN]/ServiceLogin?continue=[SERVICE], where:

[DOMAIN] is your Google domain (the same value that you entered in Okta)
[SERVICE] is the Google service that you want to redirect to after authentication.

For example: https://www.google.com/a/acme.com/ServiceLogin?continue=https://mail.google.com.

Disabling SAML

Clear the Setup SSO with third party identity provider checkbox.
Delete any values from the Sign-in page URL, Sign-out page URL, and Change password URL fields. This ensures that users don't get redirected to Okta to login, as the Sign-in URL property is still enabled.