> **Building with AI coding agents?** If you're using an AI coding agent, install the official Scalekit plugin. It gives your agent full awareness of the Scalekit API — reducing hallucinations and enabling faster, more accurate code generation. > > - **Claude Code**: `/plugin marketplace add scalekit-inc/claude-code-authstack` then `/plugin install @scalekit-auth-stack` > - **GitHub Copilot CLI**: `copilot plugin marketplace add scalekit-inc/github-copilot-authstack` then `copilot plugin install @scalekit-auth-stack` > - **Codex**: run the bash installer, restart, then open Plugin Directory and enable `` > - **Skills CLI** (Windsurf, Cline, 40+ agents): `npx skills add scalekit-inc/skills --list` then `--skill ` > > `` / ``: `agent-auth`, `full-stack-auth`, `mcp-auth`, `modular-sso`, `modular-scim` — [Full setup guide](https://docs.scalekit.com/dev-kit/build-with-ai/) --- # Google Workspace - SAML This guide walks you through configuring Google Workspace as your SAML identity provider for the application you are onboarding, enabling secure single sign-on for your users. You'll learn how to set up an enterprise application and configure SAML settings to the host application. By following these steps, your users will be able to seamlessly authenticate using their Google Workspace credentials. 1. ## Create a custom SAML app in Google Workspace Google allows you to add custom SAML applications using the SAML protocol. This is the first step in establishing a secure SSO connection. **Prerequisites:** You need a super administrator account in Google Workspace to complete these steps. 1. Go to Google **Admin console** (`admin.google.com`) 2. Select **Apps** → **Web and mobile apps** 3. Click **Add app** → **Add custom SAML app** 4. Provide an app name (e.g., "YourApp") and upload an app icon if needed 5. Click **Continue** ![Custom SAML app](@/assets/docs/guides/sso-integrations/google-saml/0-google-saml.png) *Creating a new custom SAML application in Google Workspace* **Get Google identity provider details:** On the **Google identity provider details** page, you'll need to collect setup information. You can either: - Download the **IDP metadata** file, or - Copy the **SSO URL** and **Entity ID** and download the **Certificate** Your SSO config portal connects with Google IdP using three essential pieces of information: - **SSO URL** - **Entity ID** - **Certificate** Copy these values from the Google console and paste them into your config portal. ![Google IdP Details](@/assets/docs/guides/sso-integrations/google-saml/0.1-google-saml.png) *Essential SAML configuration details from Google Workspace* **Note:** Keep this page open as you'll need to return to it after configuring the service provider details. 2. ## Configure the service provider in Google Admin console In your SSO configuration portal: 1. Navigate to Single sign-on (SSO) → Google Workspace → SAML 2.0 2. Select the organization you want to configure 3. Copy these critical details from the SSO settings: - **ACS URL** (Assertion consumer service URL) - **SP Entity ID** (Service provider entity ID) - **SP Metadata URL** ![SSO Config Portal](@/assets/docs/guides/sso-integrations/google-saml/1-google-saml.png) *Service provider configuration details in SSO portal* In Google Admin console: 1. Paste the copied details into their respective fields 2. Select **"Email"** as the **NameID format** (this serves as the primary user identifier during authentication) 3. Click **Continue** ![Google Workspace](@/assets/docs/guides/sso-integrations/google-saml/1.1-google-saml.png) *Configuring service provider details in Google Workspace* 3. ## Configure attribute mapping User profile attributes in Google IdP need to be mapped to your application's user attributes for seamless authentication. The essential attributes are: - Email address - First name - Last name To configure these attributes: 1. Locate the **Attribute mapping** section in your identity provider's application 2. Map the Google attributes to your application attributes as shown below ![User profile attributes](@/assets/docs/guides/sso-integrations/google-saml/2.1-google-saml.png) *Mapping user attributes between Google Workspace and your application* 4. ## Assign users and groups Control access to your application by assigning specific users or groups: 1. Go to the **User/group assignment** section in your identity provider application 2. Select and assign the user groups that need access to your application via SSO ![Group assignment](@/assets/docs/guides/sso-integrations/google-saml/2.2-google-saml.png) *Assigning user groups for SSO access* 5. ## Configure identity provider in SSO portal **Copy Google identity provider details:** From your Google Workspace, copy the IdP details shown during custom app creation: ![Google IdP details](@/assets/docs/guides/sso-integrations/google-saml/3.1-google-saml.png) *Identity provider details from Google Workspace* **Update the SSO configuration:** In your SSO configuration portal, navigate to the Identity provider configuration section. Paste the Google IdP details into the appropriate fields: Entity ID, SSO URL, and x509 certificates. ![Update IdP details in SSO config portal](@/assets/docs/guides/sso-integrations/google-saml/3.2-google-saml.png) *Updating identity provider configuration in SSO portal* Click **Update** to save the configuration. 6. ## Test the connection Verify your SAML SSO configuration: 1. Click **Test connection** in the SSO configuration portal 2. If successful, you'll see a confirmation message: ![Test Single Sign On](@/assets/docs/guides/sso-integrations/google-saml/4-google-saml.png) *Successful SSO connection test* If there are any configuration issues, the test will identify them and provide guidance for correction. 7. ## Enable SSO connection Once you've verified the configuration: 1. Click **Enable connection** to activate SSO for your users ![Enable SSO Connection](@/assets/docs/guides/sso-integrations/google-saml/5-google-saml.png) *Enabling the SSO connection* 8. ## Test SSO functionality After enabling the connection, test both types of SSO flows to ensure everything works correctly: **Identity provider (IdP) initiated SSO:** 1. In Google Admin console, go to **Apps** → **Web and mobile apps** 2. Select your custom SAML app 3. Click **Test SAML login** at the top left 4. Your app should open in a separate tab with successful authentication **Service provider (SP) initiated SSO:** 1. Open the SSO URL for your SAML app 2. You should be automatically redirected to the Google sign-in page 3. Enter your Google Workspace credentials 4. After successful authentication, you'll be redirected back to your application **Troubleshooting:** If either test fails, check the SAML app error messages and verify your IdP and SP settings match exactly. Congratulations! You have successfully configured Google SAML for your application. Your users can now securely authenticate using their Google Workspace credentials through single sign-on. **Google Workspace SSO resources:** For more detailed information about setting up custom SAML apps in Google Workspace, refer to the [official Google Workspace documentation](https://support.google.com/a/answer/6087519). --- ## More Scalekit documentation | Resource | What it contains | When to use it | |----------|-----------------|----------------| | [/llms.txt](/llms.txt) | Structured index with routing hints per product area | Start here — find which documentation set covers your topic before loading full content | | [/llms-full.txt](/llms-full.txt) | Complete documentation for all Scalekit products in one file | Use when you need exhaustive context across multiple products or when the topic spans several areas | | [sitemap-0.xml](https://docs.scalekit.com/sitemap-0.xml) | Full URL list of every documentation page | Use to discover specific page URLs you can fetch for targeted, page-level answers |