Configuring Google Workspace for SAML-based SSO

  • Updated
  • Log in to your Google Workspace admin console at admin.google.com
  • From the Apps left nav menu, select "Web and mobile apps"
  • Click the "Add app" dropdown menu
  • Select the "Add custom SAML app" option
  • In the "Service provider details" view, provide the following values:
    • ACS URL
      • https://auth.osano.com/saml2/idpresponse
    • Entity ID
      • urn:amazon:cognito:sp:us-east-1_7GtagkRKw
    • Name ID
      • Leave the default format and ID

Screenshot 2024-07-26 at 9.43.33 AM.png

  • Optional: For iDP initiated access (Allowing your users to select the app in the GoogleWorkspace dashboard or waffle control and be automatically authenticated) let your support rep know you wish to enable this option and add the following setting in the "Start URL" field:
    • identity_provider=CUSTOMER_ID&client_id=7di7d8bnbp79rvmktl6o9g79bc&redirect_uri=https://my.osano.com/oauth/response&response_type=token&scope=email+openid+profile+aws.cognito.signin.user.admin
    • Make sure to replace the identity_provider value with your Osano customer ID (ask your support rep for this)
  • In the "SAML attribute mapping" view, add the following attributes:
    • Primary email
      • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
    • Primary email
      • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Screenshot 2024-07-26 at 10.11.17 AM.png

  • In the "User access" view, assign the application to the user groups you wish to have access. Note: this will not automatically grant access to these users as every user will need to be invited using the Osano web application.
  • Save the application, download the Metadata XML document and send it to Osano support.
  • Screenshot 2024-07-31 at 9.57.09 AM.png