Skip to main content

Add Google Workspace as a SAML connection

Before you start

Browser supports Enterprise SSO via the SAML protocol, enabling you to create authentication strategies for an Identity Provider (IdP).

When you configure a SAML connection with Google Workspace as your IdP, your users can sign up and sign in to your application with their Google account. In this guide, you configure the connection in the Browser Dashboard, while the customer (whoever manages the Google Admin Console) configures it on the Google side.

Tip

This guide requires coordination between you and your customers' IT administrators. If you're creating an enterprise connection for an Organization, you can allow your customers' IT admins to configure SSO themselves. See the guide on self-serve SSO for more information.

Create a Google Workspace SAML connection in Browser

  1. In the Browser Dashboard, navigate to the SSO connections page.
  2. Select Add connection and select For specific domains or organizations.
  3. Under SAML, select Google Workspace.
  4. Enter the Domain. This is the email domain of the users you want to allow to sign in to your application. Optionally, select an Organization.
  5. Enter the Name. This will be displayed on the sign-in form.
  6. Select Add connection. You'll be redirected to the connection's configuration page.
  7. In the Service Provider Configuration section, save the ACS URL and Entity ID values somewhere secure. You'll need to give these to the customer so they can configure their Google Workspace application.

Configure SAML application

Now the customer's Google Workspace application needs to be configured with the ACS URL and Entity ID from Browser.

To get you started, you can use the following email template with detailed instructions. Remember to share the ACS URL and Entity ID:

Here are the instructions for setting up SAML SSO with Google Workspace:

Step 1: Create a custom SAML app

  1. Navigate to the Google Admin Console and sign in.
  2. In the navigation sidenav, under Apps, select Web and mobile apps.
  3. Select Add app, then select Add custom SAML app.
  4. In the App details section, enter an App name, then select Continue.

Step 2: Share the identity provider details

  1. On the Google Identity Provider details page, under Option 1: Download IdP metadata, select Download Metadata and reply with the file. (Alternatively, under Option 2, copy the SSO URL and Entity ID and download the Certificate.)
  2. Select Continue.

Step 3: Enter the service provider details

  1. Paste the ACS URL and Entity ID values provided to you into their respective fields.
  2. Under the Name ID section, set the Name ID format to EMAIL.
  3. Select Continue.

Step 4: Map attributes

Under the Attributes section, select Add mapping and map the following. Only Primary email is required:

Google Directory attributeApp attribute
Primary emailemail
First namefirstName
Last namelastName

Select Finish.

Step 5: Turn on the app

  1. In the User access section, select ON for everyone.
  2. Select Save.

Add the IdP configuration in Browser

Once the customer has shared their Google Workspace details, add them to the connection. There are two options:

  • Metadata configuration (recommended) - Use the metadata file the customer downloaded from Google. This is quicker than manually inputting the configuration settings.
  • Custom configuration - Manually input the configuration settings.

Metadata configuration

  1. In the Browser Dashboard, open the connection and, in the Identity Provider Configuration section, select Upload file.
  2. Upload the metadata file that the customer shared.

Custom configuration

If you're configuring the connection manually, fill in these three fields in the Browser Dashboard:

  • SSO URL - Your IdP's URL that Browser will redirect your users to so that they can authenticate.
  • Entity ID - The unique identifier of your IdP application.
  • Certificate - The certificate needed for Browser to securely connect to your IdP.
  1. In the Identity Provider Configuration section, select Use manual configuration.
  2. Fill in the SSO URL and Entity ID, and upload the Certificate that the customer shared. Select Save.

Map IdP claims to Browser fields

Browser automatically maps the standard SAML claims (email, first name, and last name) to the User object. To review them, open the connection's SSO tab and find the Common attributes section under Attribute mapping.

To map a claim that has no standard Browser field, store it in the user's publicMetadata. The approach depends on whether the connection also uses Directory Sync:

  • SSO only: In the IdP, prefix the claim name with public_metadata_. For example, mapping a phone number to public_metadata_phone_number stores it under phone_number in User.publicMetadata. Some IdPs, such as Microsoft Entra, send claims as URLs; map those as plain strings.
  • SSO with Directory Sync: Define a custom attribute so the mapping applies to both SSO and SCIM. Define it on the connection's Overview tab (in the Identity provider attributes section), then map it in the SSO tab (in the Custom attributes section of the Attribute mapping section). Refer to the guide on custom attribute mapping. While Directory Sync is enabled, SCIM is the only source for these values and overrides SSO.

Learn more about accessing user metadata from the API.

Enable the connection in Browser

You have configured the SAML connection. Once enabled, all users with email addresses ending in the domain will be redirected to your identity provider at sign-up and sign-in.

Warning

If the SAML configuration in Browser or your identity provider has an error, existing users with matching email domains will be unable to sign in once the connection is enabled. We recommend coordinating with your counterpart to test the connection at an off-peak time.

To make the connection available for your users to authenticate with:

  1. Navigate to the SSO connections page and select the connection.
  2. At the top of the page, toggle on Enable connection and select Save.

Feedback

What did you think of this content?

Last updated on

GitHubEdit on GitHub