Okta

How to Configure SAML 2.0 for Google Workspace


Read this before you enable SAML

Enabling SAML affects all users who use this application, which means that users will not be able to sign in through their regular log in page. They will only be able to access the app through the Okta service. However, Google Workspace users assigned to the Super Administrator role can bypass SSO and log in directly to https://admin.google.com. We highly recommend creating a Google Workspace Super Administrator account to allow for Google Workspace administrator access in the event SAML is no longer working properly.

Contents


Supported Features

The Okta/Google Workspace SAML integration currently supports the following features:

For more information on the listed features, visit the Okta Glossary.


Configuration Steps

Go to Single Sign-on Settings in Google Workspace

Sign in to Google Workspace with the same administrator username and password used for your Google Workspace user management API credentials in Okta. 

  1. Click the Security icon:

    click the security icon

    NOTE: If the Security icon is not visible, click More Controls at the bottom of the panel and drag the Security icon into the Admin Console dashboard.

  2. On the Security menu, select Set up single sign-on (SSO) with a third party IdP:

    Set up single sign-on (SSO) with a third party IdP


Complete the Single Sign-on Screen

  1. Check the Setup SSO with third party identity provider checkbox, then enter the following:

    • Sign-in page URL: Copy and paste the following:

      Sign into the Okta Admin dashboard to generate this value.

    • Sign-out page URL: Copy and paste the following:

      Sign into the Okta Admin dashboard to generate this value.

    • Verification certificate: Download and save the following file, then locate and upload it.

      Sign into the Okta Admin Dashboard to generate this variable.

    • Check Use a domain-specific issuer.

    • (Optional) Use the Network masks field to allow only a targeted subset of users to access your organization's Okta site. This is useful for rolling out application access in controlled phases.

    • Change password URL: Copy and paste the following:

      Sign into the Okta Admin dashboard to generate this value.

    • Click SAVE:

    Enter SAML config values

  2. Done!

Your users are ready to single sign-on to Google Workspace!


Notes


SP-initiated SSO

Navigate to https://www.google.com/a/[DOMAIN]/ServiceLogin?continue=[SERVICE].

    Where:

    [DOMAIN] is your Google domain (same value you entered in Okta)

    [SERVICE] is the Google service you want to re-direct to after authentication.

    For example: https://www.google.com/a/acme.com/ServiceLogin?continue=https://mail.google.com.


Disabling SAML

  1. Uncheck the Setup SSO with third party identity provider checkbox.

  2. Delete any values that exist in the text boxes for Sign-in page URL, Sign-out page URL, and Change password URL. This ensures that users don't get redirected to Okta to login, as the Sign-in URL property is still enabled.