This article is an add-on to our SAML configuration guide, supplementing the process described there with specific details and additional information unique to configuring SAML for the G Suite SAML 2.0 app connector in OneLogin's app catalog.
Configuring OneLogin's G Suite App Connector
Check out this two-part video training series for a full overview of connecting G Suite with OneLogin.
Watch Now
Prerequisites
- A paid G Suite account with third-party API access enabled
- Administrative access to enable SAML in G Suite; you should follow the G Suite SAML process described there in conjunction with your OneLogin setup, as you will be exchanging some details between your accounts during the configuration
- If you intend to configure both SAML and provisioning for G Suite, you must enable provisioning before completing your SAML configuration.
Configuration
Domain
|
Enter your primary G Suite domain.
|
API Connection
|
If you have not previously granted Google authentication access as part of the provisioning process, click Authenticate now and sign in with your Google admin account. Once successfully authenticated, a Clear Token option will appear.
Clear your OAuth token as necessary to reauthenticate with the G Suite Directory API. If you're clearing the token because of security concerns, you should also delete the old token from G Suite.
|
SSO
Automatic configuration
-
Configure any parameters necessary and assign the app to your own OneLogin account, then Save the app connector and toggle on Enable automatic SAML configuration.
-
Follow the prompts in the One Click dialog that appears to complete configuration.
-
Click Verify to test the configuration. If successful, you're signed directly into G Suite in a new tab.
If you do not have a G Suite account or the Verify prompt does not appear, you can manually test the connection by assigning the app to a test user and attempting to launch G Suite from this user's OneLogin portal in an alternate browser.
Manual configuration
Copy your OneLogin SSO values to their corresponding fields in G Suite:
OneLogin
|
G Suite
|
X.509 Certificate
|
Upload certificate
|
SAML 2.0 Endpoint (HTTP)
|
Sign-in page URL
|
SLO Endpoint (HTTP)
|
Sign-out page URL
|
https://your-domain.onelogin.com/login2#action=password_reset
|
Change password URL
|
Tip! Google supports partial SSO, enabling you to configure the app connector for only certain organizational units (OUs) in G Suite, which can be useful for fine-tuning your security requirements as well as testing your connection with a test OU rather than an individual test user. See the Google documentation for more information on configuring partial SSO. |