Okta

How to Configure SAML 2.0 for G Suite


Read this before you enable SAML

Enabling SAML affects all users who use this application, which means that users will not be able to sign in through their regular log in page. They will only be able to access the app through the Okta service. However, G Suite users assigned to the Super Administrator role can bypass SSO and log in directly to https://admin.google.com. We highly recommend creating a G Suite Super Administrator account to allow for G Suite administrator access in the event SAML is no longer working properly.

Contents


Supported Features

The Okta/G Suite SAML integration currently supports the following features:

For more information on the listed features, visit the Okta Glossary.


Configuration Steps

Navigate to Single Sign-on Settings in G Suite

Sign in to G Suite with the same administrator username and password used for your G Suite user management API credentials in Okta. 

  1. Click the Security icon:

    click the security icon

    NOTE: If the Security icon is not visible, click More Controls at the bottom of the panel and drag the Security icon into the Admin Console dashboard.

  2. On the Security menu, select Set up single sign-on (SSO):

    apps1.png

Complete the Single Sign-on Screen

  1. Check the Setup SSO with third party identity provider checkbox, then enter the following:

    • Sign-in page URL: Copy and paste the following:

      Sign into the Okta Admin dashboard to generate this value.

    • Sign-out page URL: Copy and paste the following:

      Sign into the Okta Admin dashboard to generate this value.

    • Change password URL: Copy and paste the following:

      Sign into the Okta Admin dashboard to generate this value.

    • Verification certificate: Download and save the following file, then click CHOOSE FILE to locate and upload it.

      Sign into the Okta Admin Dashboard to generate this variable.

    • Check Use a domain-specific issuer.

    • (Optional) Use the Network masks field to allow only a targeted subset of users to access your organization's Okta site. This is useful for rolling out application access in controlled phases.

    • Click SAVE:

    apps2.png

  2. Done!

Your users are ready to single sign-on to G Suite!


Notes


SP-initiated SSO

Navigate to https://www.google.com/a/[DOMAIN]/ServiceLogin?continue=[SERVICE].

    Where:

    [DOMAIN] is your Google domain (same value you entered in Okta)

    [SERVICE] is the Google service you want to re-direct to after authentication.

    For example: https://www.google.com/a/acme.com/ServiceLogin?continue=https://mail.google.com.


Disabling SAML

  1. Uncheck the Setup SSO with third party identity provider checkbox.

  2. Delete any values that exist in the text boxes for Sign-in page URL, Sign-out page URL, and Change password URL. This ensures that users don't get redirected to Okta to login, as the Sign-in URL property is still enabled.