Enterprise Google Workspace SSO using SAML

Problem statement

We are having trouble setting up Enterprise SAML SSO using Google Workspace.

Troubleshooting

Common Pitfalls:

  • If a custom domain is used, use that for the ACS URL (instead of the tenant’s canonical domain).
  • The entity ID will be urn:auth0:{**your-auth0-tenant-name**}:googlesaml.
    • Note the {your-auth0-tenant-name} part doesn’t include the full domain name. If the Auth0 domain is example.us.auth0.com, then it is “example.”
  • Make sure to allow Google Workspace users to access the SAML app.

Solution

The following are the steps to set up the Enterprise Google Workspace SSO using SAML

(1) Decide on the connection name. For example, googlesaml.

(2) Follow this instruction and set up a SAML application in your Google Workspace: Set up your own custom SAML application.

  • Follow the “Set up your own custom SAML app” section. On the “Google Identity Provider Detail” page, copy and save the SSO URL (https://accounts.google.com/o/saml2/idp?idpid=XXXX) and download the certificate.
  • When Google asks for the “Service Provider Details,” use these values:
    – ACS URL (Assertion Consumer Service URL): https://{your-auth0-domain}/login/callback
    – Entity Id: urn:auth0:{your-auth0-tenant-name}:googlesaml
  • Note the {your-auth0-tenant-name} part doesn’t include the full domain name. If the Auth0 domain is example.us.auth0.com, then it should be “example”. For the name ID, you can use email. Leave other values/options unchanged.

(2-2) Follow the “Turn on your SAML app” section. Allow the Google Workspace users to access the app.

(3) Create an Enterprise Generic SAML connection in the Auth0 tenant. Use the connection name that was established earlier in Step 1 (i.e., googlesaml).
– Sign In URL: SSO URL that was copied in step (2-1) - https://accounts.google.com/o/saml2/idp?idpid=XXXX
– X509 Signing Certificate: the file downloaded in step (2-1).