Set up your own custom SAML app (2024)

1. Sign in to your GoogleAdminconsole.

   Sign in using an account with super administrator privileges(does not end in @gmail.com).

2. In the Admin console, go to MenuAppsWeb and mobile apps.

   See Also

   Signing in users with SAML  |  Identity Platform Documentation  |  Google CloudUnderstanding SAML | Okta DeveloperHow SAML Authentication Works?Configure Auth0 as SAML Identity Provider

3. Click Add AppAdd custom SAML app.
   Enter the app name and, optionally, upload an icon for your app. The app icon appears on the Web and mobile apps list, on the app settings page, and in the app launcher. If you don't upload an icon, an icon is created using the first two letters of the app name.
4. Click Continue.
5. On the Google Identity Provider details page, get the setup information needed by the service provider using one of these options:
   1. Download the IDP metadata.
   2. Copy the SSO URL and Entity ID and download the Certificate (or SHA-256 fingerprint, if needed).
6. (Optional) To enter the information into the appropriate SSO configuration page, in a separate browser tab or window, sign in to your service provider and enter the information you copied in Step 5, then return to the Admin console.
7. Click Continue.
8. Contact your service provider for these field values. In the Service Provider Details window, enter:
   1. ACS URL—The service provider's Assertion Consumer Service URL receives the SAML response. It must start with https://.
   2. Entity ID—The globally unique name.
   3. Start URL—(Optional) This sets the RelayState parameter in a SAML Request, which can be a URL to redirect to after authentication.
9. (Optional) To indicate that your service provider requires the entire SAML authentication response to be signed, check the Signed response box. If this is unchecked (the default), only the assertion within the response is signed.
10. (Optional) Set Name ID format and Name ID value for your custom SAML app. The default Name ID is the primary email.
    Tip: Check the setup articles in our SAML apps catalog for any Name ID mappings required for apps in the catalog. You can also create custom attributes, either in the Admin console or via Google Admin SDK APIs, and map to those.
11. Click Continue.
12. If needed, click Add mapping to map user attributes based on the service provider’s requirements.
    Note: You can define a maximum of 1500 attributes over all apps. Because each app has one default attribute, the count includes the default attribute plus any custom attributes you add.
    1. For Google Directory attributes, click the Select field menu to choose a field name. Not all Google directory attributes are available in the drop-down list. If an attribute you want to map (for example, Manager's email) is not available, you can add that attribute as a custom attribute, which will make it available here for selection.
    2. For App attributes, enter the corresponding attribute for your custom SAML app.

13. (Optional) To enter group names that are relevant for this app:

    1. For Group membership (optional), click Search for a group, enter one or more letters of the group name, and select the group name.
    2. Add additional groups as needed (maximum of 75 groups).
    3. For App attribute, enter the service provider’s corresponding groups attribute name.

    Regardless of how many group names you enter, the SAML response will include only groups that a user is a member of (directly or indirectly). For more information, go toAbout group membership mapping.

14. Click Finish.

1. Sign in to your GoogleAdminconsole.

   Sign in using an account with super administrator privileges(does not end in @gmail.com).

2. In the Admin console, go to MenuAppsWeb and mobile apps.

3. Select your SAML app.

4. ClickUser access.

5. To turn a service on or off for everyone in your organization, clickOn for everyone orOff for everyone, and then clickSave.

6. (Optional) To turn a service on or offforan organizational unit:

   1. At the left, select the organizational unit.
   2. To change the Service status, selectOn orOff.
   3. Choose one:
      • If the Service status is set toInheritedand you want to keep the updated setting, even if the parent setting changes, click Override.
      • If the Service status is set toOverridden, either click Inherit to revert to the same setting as its parent, or clickSave to keep the new setting, even if the parent setting changes.
        Note: Learn more about organizational structure.

7. To turn on a service for a set of users across or within organizational units, select an access group. For details, go to Use groups to customize service access.

   See Also

   SSO assertion requirements - Google Workspace Admin Help

8. Ensure that the email addresses yourusers use to sign in to theSAML app match the email addresses theyuseto sign in to your Google domain.

Changes can take up to 24 hours but typically happen more quickly.Learn more