This site requires JavaScript to be enabled
External Customer KB > General > Configuring SAML for G Suite
Configuring SAML for G Suite
Article: KB0010328 Published: 02/21/2022 Last modified: 02/21/2022

This topic describes how to configure OneLogin to provide SSO for G Suite aka Google Workspace (formerly Google Apps) using SAML.

If you want to set up SSO for G Suite with form-based authentication, see Adding a Form-Based Application.

Watch Video Training

Configuring OneLogin's G Suite App Connector (Google Workspace)

  1. Go to to Apps > Add Apps.

  2. Search for G Suite and select the one that just has G Suite in the name.

  3. On the Add App page - Configuration tab, select SAML2.0 - user provisioning under Connectors.

    You can change the Display Name. Toggle Visible in portal to off if you don't want users to have access to G Suite (for example, if you want to stage and test the app connection before rolling it out). 

  4. Click Save to display additional configuration tabs.

  5. On the Configuration tab, enter your G Suite domain and optionally enable entitlement provisioning.


    1. Under Domain, enter your primary G Suite domain, including the suffix (.com).

    2. Click Save.

  6. On the Configuration tab, authenticate to the G Suite API. 

    Note. Your G Suite APIs must be enabled in the G Suite admin console. See https://support.google.com/a/answer/60757


    1. On the Configuration tab, click Authenticate.

    2. On the Complete Authentication Process dialog, click the G Suite link.

    3. Click Accept on Google's Request for Permission page.

    4. OneLogin returns you to your G Suite app setup page and displays a brief message that your authorization was successful.

      You can also confirm that the authorization was successful by going to the Configuration tab and confirming that the Clear Token button appears in the API Connection section.

      clear token

      You can click the Clear Token button if you ever need to reauthenticate with the G Suite API.

      If you are clearing the OAuth token because of security concerns, you should also delete the old token from G Suite. To do that, you must log in to G Suite with the administrator credentials that were used to create the OAuth token, at https://myaccount.google.com/permissions?pli=1. If you do not have access to those credentials, you must contact G Suite support for assistance.

  7. If you selected Provision Entitlements on the Configuration tab, refresh your entitlements.

    On the Provisioning page, under Entitlements, click Refresh.

    Refreshing entitlements populates Google Group and Organization values on the Parameters tab.

    Important!  On April 20, 2015, OneLogin switched all OneLogin accounts that used the unsupported Google Apps Provisioning API to the new Google Apps Directory API.  If your Google Apps (now G Suite) app connnector was enabled for entitlement provisioning before April 20, 2015, you should click Repair if you haven't already done so. The Repair Entitlements process refreshes entitlements and repairs any provisioning errors that may have occurred due to differences in the old Google Apps API and the new one. You only need to run this once.

  8. On the Parameters tab, map G Suite user attributes to OneLogin attributes.

    Verify that Credentials are Configured by admin.

    For SSO configuration, the default mappings are as follows:

    G Suite Field OneLogin Value Notes
    Alias -No default- Provisioning only
    Department -No default- Provisioning only
    Email Email name part G Suite expects Email name part.
    EmployeeID -No default- Provisioning only
    Employee Type -No default- Provisioning only 
    Firstname First Name  
    Groups -No value- Provisioning only
    Is Admin False Provisioning only
    Lastname Last Name  
    Manager -User Manager- Provisioning only
    Organization -No value- Provisioning only
    Password SSO Password SAML-enabled apps use the OneLogin SSO password as the app password. 
    Phone -No default- Provisioning only
    Title -No default- Provisioning only
  9. On the Access tab, assign the OneLogin roles that should have access to G Suite and provide any app security policy that you want to apply to G Suite.

    To make it easier to verify the success of the automatic SAML configuration process (step 11), include a role that has already been assigned to your own OneLogin user account.

    If you don't want to add such a role, you can save your changes, go to Users > All Users to add the app to your user account, and return to this app configuration page to complete SSO configuration.

  10. Click Save.

    You must save your settings at this point to enable the verification part of the SAML setup step, which follows.

  11. On the SSO tab, configure your SAML settings automatically.

    In this step, you tell OneLogin to exchange certificates with G Suite and configure SAML automatically for you. If you want to configure SAML manually, go to step 12.


    1. Turn on the Enable automatic SAML configuration toggle to open the One Click dialog.

    2. Follow the prompts to complete the SAML configuration.

      If SAML configuration fails, the dialog lets you know. Immediately click Retry. If retrying fails, make any modifications suggested by the error message or check your settings on the Configuration, Access, and Parameters tabs and try again. If automatic configuration continues to fail, you can try manual configuration, as described in step 12.

      If SAML configuration succeeds, the dialog tells you it's done and prompts you to verify the configuration.

    3. Verify that the SAML configuration succeeded and that a OneLogin user can log into G Suite using OneLogin.

      If you are logged in as a user with a G Suite account, and you are already assigned to this app in OneLogin (as a member of a role that you added on the Access tab, for example), the dialog displays a Verify button on the Done page. Click Verify to launch G Suite in another browser tab. If it works, you're done.

      If you have not already assigned yourself access to this app, the Done page displays a Next button. Click it to display a verification page:

      Open a new browser window or tab. Assign this app to a OneLogin user with a G Suite account, if you haven't already. Log in to OneLogin as the user and try to launch G Suite from App Home. If the app launches successfully, return to the One Click dialog and click Yes. I'm Done. Or if you're feeling lucky, just click it without testing.

    4. OneLogin returns you to the SSO tab, where you can confirm that the Enable automatic SAML configuration toggle is turned on.

      If you ever need to turn off OneLogin SSO for G Suite, simply click the toggle off.

  12. (Optional) On the SSO tab, configure your SAML settings manually.

    OneLogin can configure your SAML settings automatically (see step 11). However, if you prefer to configure your SAML settings manually, follow the instructions in this step.


    1. Go to the Manual Configuration sub-tab.

    2. Copy the SAML2.0 Endpoint (HTTP) URL and download the X.509 PEM Certificate.

      To download the X.509 PEM certificate, click View Details and select X.509 PEM from the drop-down below the X.509 Certificate field.

      If you want a different certificate, click Change, select the new certificate, and follow the above instructions. You can create new X.509 certificates for selection by going to Settings > Certificates and clicking New.

    3. In your G Suite Admin console, go to Security > Set up single sign-on (SSO).

    4. Upload your OneLogin X.509 PEM certificate by choosing the file you downloaded above and clicking Upload.

    5. Click Setup SSO with third party identity provider.

    6. Fill in the following fields:

      Sign-in page URL: the SAML2.0 Endpoint (HTTP) URL that you copied from the Manual Configuration sub-tab in OneLogin.
      Sign-out page URL: https://app.onelogin.com/client/apps
      Change password URL: https://app.onelogin.com/password

    7. Click Save Changes.

  13. (Optional) On the SSO tab, enable OneLogin administrators with Super user or Assume users privileges to sign in to G Suite while assuming another user's identity. 

    Assuming a user's identity can be a helpful tool for your administrators. Select Allow assumed users to sign into this app. For more information about assumed sign-in, see Assuming Users

OneLogin and G Suite should now be connected through SAML.

Shared G Suite Accounts

If you are using the G Suite (Shared Accounts) connector, the instructions above are nearly identical. The modifications:

  • You must log in as the primary user before you can log into the shared account.
  • Do not click the Authenticate button to connect to the Google API. 
  • Do not enable Provisioning for the Shared Accounts connector. 

Once you've set up the Shared Accounts connector, create a Role and assign the connector to it.

Next steps:

Provisioning Users to G Suite


Expand/Collapse Comments
:     
Was this helpful?
YesYesNoNo