Enabling SAML affects all users who use this application, which means that users will not be able to sign in through their regular log in page. They will only be able to access the app through the Okta service. However, Google Workspace users assigned to the Super Administrator role can bypass SSO and log in directly to https://admin.google.com. We highly recommend creating a Google Workspace Super Administrator account to allow for Google Workspace administrator access in the event SAML is no longer working properly.
The Okta/Google Workspace SAML integration currently supports the following features:
For more information on the listed features, visit the Okta Glossary.
Sign in to Google Workspace with the same administrator username and password used for your Google Workspace user management API credentials in Okta.
Click the Security icon:
NOTE: If the Security icon is not visible, click More Controls at the bottom of the panel and drag the Security icon into the Admin Console dashboard.
On the Security menu, select Set up single sign-on (SSO) with a third party IdP:
Check the Setup SSO with third party identity provider checkbox, then enter the following:
Sign-in page URL: Copy and paste the following:
Sign into the Okta Admin dashboard to generate this value.
Sign-out page URL: Copy and paste the following:
Sign into the Okta Admin dashboard to generate this value.
Verification certificate: Download and save the following file, then locate and upload it.
Sign into the Okta Admin Dashboard to generate this variable.
Check Use a domain-specific issuer.
(Optional) Use the Network masks field to allow only a targeted subset of users to access your organization's Okta site. This is useful for rolling out application access in controlled phases.
Change password URL: Copy and paste the following:
Sign into the Okta Admin dashboard to generate this value.
Click SAVE:
Done!
Your users are ready to single sign-on to Google Workspace!
Make sure that you entered the correct value in the Your Google Workspace company domain field under the General tab in Okta. Using the wrong value will prevent you from authenticating via SAML to Google Workspace.
When Super Administrators try to sign in to accounts.google.com, they will be prompted for their full Google Workspace email address & password. Google does not redirect Super Administrators to the SSO Server.
A backdoor URL is always enabled for administrator accounts to login using a username and password. It can be accessed at https://www.google.com/a/[DOMAIN].
You can read about additional user management features in the online documentation.
Navigate to https://www.google.com/a/[DOMAIN]/ServiceLogin?continue=[SERVICE].
Where:
[DOMAIN] is your Google domain (same value you entered in Okta)
[SERVICE] is the Google service you want to re-direct to after authentication.
For example: https://www.google.com/a/acme.com/ServiceLogin?continue=https://mail.google.com.
Uncheck the Setup SSO with third party identity provider checkbox.
Delete any values that exist in the text boxes for Sign-in page URL, Sign-out page URL, and Change password URL. This ensures that users don't get redirected to Okta to login, as the Sign-in URL property is still enabled.