Setup flow
| # | Step | Description |
|---|---|---|
| 1 | Turn SSO on | Turn SSO on in the Dashboard |
| 2 | Set SSO scope | Select accounts to apply SSO for |
| 3 | Create SSO app | Set up and configure Google Workspace app for SSO |
| 4 | Configure SSO | Choose SSO configuration method and provide configuration details |
Turn SSO on
To set up SSO, you need to turn it on first in the Dashboard. For this:
-
Sign in to the Dashboard.
Use an account with the administrator role.
-
In the menu, go to Settings › Single Sign-On.
The SSO settings page opens.
-
Select Enable Single Sign-On (SSO) to expand configuration settings.
Configuration settings include the following groups:
Group Description Enable SSO for This group of settings lets you set the SSO scope—that is, to select the predefined account groups and to specify individual accounts to apply SSO for Service Provider Settings This group includes settings to use when creating SSO app in Google Workspace Identity Provider Settings This group of settings lets you choose how to configure SSO and to provide configuration details 
-
Continue with setting SSO scope.
Set SSO scope
You can set the scope of SSO—that is, to select accounts to apply SSO for.
To map accounts, account names on the service provider side (that is, within the services) must match the account emails on the Google Workspace side.
In the Enable SSO for group, select one or more available account groups:
-
Dashboard admins to enable SSO for the Dashboard accounts with the administrator role;
-
All backup accounts to enable SSO for all backup accounts;
-
Individual accounts to enable SSO only for specific accounts.
Enter one or more account usernames separated by comma, space, or semicolon.
Continue with creating SSO app in Google Workspace.
Create SSO app
This section covers only the basic instructions on creating an SSO app in Google Workspace. For more details, see the Google Workspace Admin Help.
-
Sign in to the Google Admin console.
Use an account with the Super Admin role.
-
In the menu, go to Apps › Web and mobile apps.
-
On the toolbar, click Add app, and then select Add custom SAML app.
The app creation wizard opens.
-
On the App details step, provide the basic information about the app, and then click CONTINUE.
-
On the Google Identity Provider details step:
-
To configure SSO later in the Dashboard using metadata, download the metadata file.
-
To configure SSO later in the Dashboard manually, сopy and save SSO URL, Entity ID, and Certificate.
Dashboard accepts SAML certificates as CER or CERT files. If you copy the Google SAML certificate, save it to the file with
.ceror.certextension. If you download the Google SAML certificate, change the file name extension from.pemto.ceror.cert.
Click CONTINUE.
-
-
On the Service provider details step:
-
In the ACS URL box, enter the reply URL address.
You can find the reply URL address on the Dashboard SSO settings page in the Reply URL box.
-
In the Entity ID box, enter the service provider entity ID.
You can find the service provider entity ID on the Dashboard SSO settings page in the Service Provider Entity ID box.
Click CONTINUE.
-
-
On the Attribute mapping step, click FINISH.
-
Turn on the newly created app. For this:
-
Click the User access panel.
-
Select ON for everyone.
This turns the app on for everyone in the organization. To turn the app on for a specific organizational unit or a group of users, see details in the Google Workspace Admin Help.
-
Click SAVE to apply changes.
-
Continue with configuring SSO in the Dashboard.
Configure SSO
To configure SSO in the Dashboard, you must provide the SAML metadata. For this, in the Identity Provider Settings group, choose one of the following options:
-
Via metadata URL
This option is not available for SSO using Google Workspace.
Using metadata file
With this option, the system retrieves SSO configuration data from the metadata file you upload.
-
Go to the SSO settings page in the Dashboard.
-
In the Identity Provider Settings group, select Using metadata file, and then import the metadata file you obtained when creating the SSO app in Google Workspace.
How to obtain the SAML metadata file
If you somehow did not save the metadata file when creating the SSO app, you can obtain it as follows:
-
Sign in to the Google Admin console.
Use an account with the Super Admin role.
-
In the menu, go to Apps › Web and mobile apps.
-
Find and click the SSO app you have created earlier.
-
On the SSO app page, click DOWNLOAD METADATA.
-
In the open dialog, click DOWNLOAD METADATA.
-
-
Click Save to apply changes.
Manually
With this option, you manually enter the minimum required data and upload the certificate to configure SSO.
-
Go to the SSO settings page in the Dashboard.
-
In the Identity Provider Settings group, select Manually, and then:
-
In the Entity ID box, enter the Entity ID you copied earlier from Google Workspace when creating the SSO app.
-
In the Login URL box, enter the SSO URL you copied earlier from Google Workspace when creating the SSO app.
-
Import the SAML certificate you downloaded earlier from Google Workspace when creating the SSO app.
-
Click Save to apply changes.
How to obtain the SAML metadata for manual SSO configuration
If you did not save the metadata for manual SSO configuration when creating the SSO app, you can obtain it as follows:
-
Sign in to the Google Admin console.
Use an account with the Super Admin role.
-
In the menu, go to Apps › Web and mobile apps.
-
Find and click the SSO app you have created earlier.
-
On the SSO app page, click DOWNLOAD METADATA.
-
In the open dialog, you can find SSO URL, Entity ID, and Certificate.
Dashboard accepts SAML certificates as CER or CERT files. If you copy the Google SAML certificate, save it to the file with
.ceror.certextension. If you download the Google SAML certificate, change the file name extension from.pemto.ceror.cert.
-