How to Configure SAML 2.0 for Google Workspace

Contents

• Supported Features
• Configuration Steps
• Notes

---

Supported Features

The Okta/Google Workspace SAML integration currently supports the following features:

• SP-initiated SSO
  • Root organization SSO profile (RPID unset)
  • Single multi-IdP SSO profile (RPID set)
• IdP-initiated SSO
  • Root organization SSO profile (RPID unset)
  • Single multi-IdP SSO profile (RPID set)

For more information on the listed features, visit the Okta Glossary.

---

RPID value and SSO

In your Okta org's Google Workspace instance, the value of the RPID field on the Sign On tab determines which SSO profile is used.

If no value is specified for RPID, the root organization SSO profile is used.

If a value is specified for RPID, then a request for a multiple IdP profile is made using that value.

Configuration Steps

Go to Single Sign-on Settings in Google Workspace

Sign in to Google Workspace with the same administrator username and password used for your Google Workspace user management API credentials in Okta. 

1. Click the Security icon:

   

   NOTE: If the Security icon is not visible, click More Controls at the bottom of the panel and drag the Security icon into the Admin Console dashboard.

2. On the Security menu, select Set up single sign-on (SSO) with a third party IdP:

   

Complete the Single Sign-on Screen

Follow the instructions for either:

• Root organization SSO profile (RPID unset)
• Multi-IdP SSO profile (RPID set)

SSO profile values

Copy the following values as required when you configure an SSO profile in Google Workspace.

• IDP entity ID:

  Sign into the Okta Admin Dashboard to generate this variable.

• Sign-in page URL:

  Sign into the Okta Admin dashboard to generate this value.

• Sign-out page URL:

  Sign into the Okta Admin dashboard to generate this value.

• Verification certificate: Download and save the following file, then locate and upload it.

  Sign into the Okta Admin Dashboard to generate this variable.

• Change password URL:

  Sign into the Okta Admin dashboard to generate this value.

Root organization SSO profile (RPID unset)

1. Go to Third-party SSO profile for your organization and check Setup SSO with third party identity provider, and then enter the following:

   • Sign-in page URL: Copy and paste the value from SSO profile values.

   • Sign-out page URL: Copy and paste the value from SSO profile values.

   • Verification certificate: Copy and paste the value from SSO profile values.

   • Check Use a domain-specific issuer.

   • (Optional) Use the Network masks field to allow only a targeted subset of users to access your organization's Okta site. This is useful for rolling out application access in controlled phases.

   • Change password URL: Copy and paste the value from SSO profile values.

   • Click SAVE.

   

2. Done!

Your users are ready to single sign-on to Google Workspace!

Multi-IdP SSO profile (RPID set)

1. Go to Third-party SSO profiles, click Add SAML profile and then enter the following:

   • Enter a valid SSO profile name.

   • IDP entity ID: Copy and paste the value from SSO profile values.

   • Sign-in page URL:Copy and paste the value from SSO profile values.

   • Sign-out page URL: Copy and paste the value from SSO profile values.

   • Change password URL: Copy and paste the value from SSO profile values.

   • Verification certificate: Copy and paste the value from SSO profile values.

   • Click SAVE.

   

   • SP Details section: Copy the rpid value from Entity ID in the SP details section and use it as the RPID value on the Sign On tab of the the app instance in Okta. Depending on when you created your SAML SSO integration in Google, the format is either https://accounts.google.com/samlrp/metadata?rpid=rpid_value or https://accounts.google.com/samlrp/rpid_value.

     The rpid value is 03gat3kx0uxkf0g in the following examples:

   

   

2. Done!

Your users are ready to single sign-on to Google Workspace!

---

Notes

• Verify that you entered the correct value in the Your Google Workspace company domain field under the General tab in Okta. Entering the wrong value will prevent you from using SAML to authenticate to Google Workspace.
• When Super Administrators try to sign in to accounts.google.com, they'll be prompted for their full Google Workspace email address & password. Google doesn't redirect Super Administrators to the SSO Server.
• A backdoor URL is always enabled for administrator accounts to login using a username and password. It can be accessed at https://www.google.com/a/[DOMAIN].
• Ensure that you assigned your previously created multiple-IdP SAML profile to an Org Unit or a Group by going to Manage SSO profile assignments and clicking Manage. Only users from that Org Unit or Group can be used with the Google Workspace app instance in Okta that has an RPID value set on the Sign On tab. Even if you import all organization users from Google to your app instance in Okta, only assign users from the Org Unit or Group used with the previously created SSO profile assignment.
• Make sure that Domain-specific Service URLs are set to Require users to enter their username on Google's sign-in page first.
• You can read about additional user management features in the online documentation.

SP-initiated SSO

Go to https://www.google.com/a/[DOMAIN]/ServiceLogin?continue=[SERVICE], where:

• [DOMAIN] is your Google domain (the same value that you entered in Okta)

• [SERVICE] is the Google service that you want to redirect to after authentication.

For example: https://www.google.com/a/acme.com/ServiceLogin?continue=https://mail.google.com.

Disabling SAML

1. Clear the Setup SSO with third party identity provider checkbox.

2. Delete any values from the Sign-in page URL, Sign-out page URL, and Change password URL fields. This ensures that users don't get redirected to Okta to login, as the Sign-in URL property is still enabled.