Okta

How to Configure SAML 2.0 for Google Workspace


Read this before you enable SAML

Enabling SAML affects all users who use this application, which means that users won't be able to sign in through their regular log in page. They'll only be able to access the app through the Okta service. However, Google Workspace users assigned to the Super Administrator role can bypass SSO and log in directly to https://admin.google.com. We highly recommend creating a Google Workspace Super Administrator account to allow for Google Workspace administrator access in the event SAML is no longer working properly.

Contents


Supported Features

The Okta/Google Workspace SAML integration currently supports the following features:

For more information on the listed features, visit the Okta Glossary.


RPID value and SSO

In your Okta org's Google Workspace instance, the value of the RPID field on the Sign On tab determines which SSO profile is used.

If no value is specified for RPID, the root organization SSO profile is used.

If a value is specified for RPID, then a request for a multiple IdP profile is made using that value.

Configuration Steps

Go to Single Sign-on Settings in Google Workspace

Sign in to Google Workspace with the same administrator username and password used for your Google Workspace user management API credentials in Okta. 

  1. Click the Security icon:

    click the security icon

    NOTE: If the Security icon is not visible, click More Controls at the bottom of the panel and drag the Security icon into the Admin Console dashboard.

  2. On the Security menu, select Set up single sign-on (SSO) with a third party IdP:

    Set up single sign-on (SSO) with a third party IdP


Complete the Single Sign-on Screen

Follow the instructions for either:

SSO profile values

Copy the following values as required when you configure an SSO profile in Google Workspace.

Root organization SSO profile (RPID unset)

  1. Go to Third-party SSO profile for your organization and check Setup SSO with third party identity provider, and then enter the following:

    • Sign-in page URL: Copy and paste the value from SSO profile values.

    • Sign-out page URL: Copy and paste the value from SSO profile values.

    • Verification certificate: Copy and paste the value from SSO profile values.

    • Check Use a domain-specific issuer.

    • (Optional) Use the Network masks field to allow only a targeted subset of users to access your organization's Okta site. This is useful for rolling out application access in controlled phases.

    • Change password URL: Copy and paste the value from SSO profile values.

    • Click SAVE.

    Enter SAML config values

  2. Done!

  3. Your users are ready to single sign-on to Google Workspace!

Multi-IdP SSO profile (RPID set)

  1. Go to Third-party SSO profiles, click Add SAML profile and then enter the following:

    • Enter a valid SSO profile name.

    • IDP entity ID: Copy and paste the value from SSO profile values.

    • Sign-in page URL:Copy and paste the value from SSO profile values.

    • Sign-out page URL: Copy and paste the value from SSO profile values.

    • Change password URL: Copy and paste the value from SSO profile values.

    • Verification certificate: Copy and paste the value from SSO profile values.

    • Click SAVE.

    • Third party SSO Profiles setup

    • SP Details section: Copy the rpid value from Entity ID in the SP details section and use it as the RPID value on the Sign On tab of the the app instance in Okta. Depending on when you created your SAML SSO integration in Google, the format is either https://accounts.google.com/samlrp/metadata?rpid=rpid_value or https://accounts.google.com/samlrp/rpid_value.

      The rpid value is 03gat3kx0uxkf0g in the following examples:

    • SP Details - rpid query

      SP Details - RPID value in entity ID

  2. Done!

  3. Your users are ready to single sign-on to Google Workspace!


Notes


SP-initiated SSO

Go to https://www.google.com/a/[DOMAIN]/ServiceLogin?continue=[SERVICE], where:

For example: https://www.google.com/a/acme.com/ServiceLogin?continue=https://mail.google.com.


Disabling SAML

  1. Clear the Setup SSO with third party identity provider checkbox.

  2. Delete any values from the Sign-in page URL, Sign-out page URL, and Change password URL fields. This ensures that users don't get redirected to Okta to login, as the Sign-in URL property is still enabled.