Google Workspace SAML Integration Guide
Suggest an editPrerequisites
- Super Administrator access to the Google Admin Console
- A SplitSecure Identity Provider created and approved
- The Security settings administrator privilege in Google Workspace
- A separate browser or browser profile with SplitSecure configured (for testing)
Warning
Single sign-on for super administrators is only supported with the legacy SSO profile. With newer SSO profiles, super admins are always excluded and must authenticate directly with Google. If you need SSO for super administrators, use the Google Workspace (Legacy) guide instead.
Google Workspace Configuration
1 Navigate to SSO Settings
- Sign in to the Google Admin Console with an administrator account
- Navigate to Security → Authentication → SSO with third party IdP
2 Create a SAML SSO Profile
- In the Third-party SSO profiles section, click Add SAML profile
- Enter a profile name (e.g., “SplitSecure SAML”)
- For Autofill email, select the option Send email address in the URL as the LoginHint parameter
3 Configure IdP Details
Gather the following values from SplitSecure before proceeding:
- In SplitSecure, go to Secure Accounts → SAML2 Identity Providers
- Click Details on the desired identity provider
- Note the values below and download the certificate
| Field | Value | Notes |
|---|---|---|
| IDP Entity ID | com.splitsecure.saml2.provider.<your-provider-name> | Found in SplitSecure at Secure Accounts → SAML2 Identity Providers → [Your IdP] → Details as “SAML IdP Entity ID” |
| Sign-in page URL | https://app.splitsecure.com/saml2/sp/login | SplitSecure SSO endpoint |
| Sign-out page URL | https://app.splitsecure.com/saml2/sp/logout | SplitSecure logout endpoint |
| Change password URL | https://app.splitsecure.com/saml2/sp/password-change | Where users go to reset their password |
| Certificate | (Upload X.509 certificate) | Download from SplitSecure: Secure Accounts → SAML2 Identity Providers → [Your IdP] → Details → Download Certificate |
- Click Upload certificate to upload the X.509 certificate from SplitSecure
- Click Save
4 Copy Service Provider (SP) Details
After saving, Google displays the SP Details section. Copy and save the Entity ID value - you’ll need it for SplitSecure configuration.
5 Configure Domain-specific Service URLs
- Navigate to Security → Authentication → Single sign-on (SSO) with third-party identity providers (IDPs)
- Click Domain-specific Service URLs
- Select Require users to enter their username on Google’s sign-in page first
6 Assign the SSO Profile to Users
- Navigate to Security → Authentication → SSO with third party IdP
- Click Manage SSO profile assignments
- Click Get started (first time) or Manage assignments
- Select the organizational unit or group to assign
- Under SSO profile assignment, choose Another SSO profile
- Select your newly created SplitSecure SAML profile from the dropdown
- Choose the sign-in option Prompt for Google username, then redirect to IdP
- Click Save
SplitSecure Configuration
1 Create the Google Workspace Secure Account
- In SplitSecure, navigate to Secure Accounts → Create Account → Google Workspace
- Enter a name for your account
- Select the Identity Provider used in the Google Workspace configuration
- Enter the SP entity ID (ACS URL will be automatically filled) from Part 1, Step 4
- Click Create Account
Test Authentication
Tip
Use a separate browser or browser profile with SplitSecure configured to test without affecting your current session.
1 Test Authentication (SP-Initiated)
- Navigate to a Google Workspace service (e.g., mail.google.com)
- Enter a user email address from an organizational unit assigned to the SSO profile
- You should be redirected to SplitSecure for authentication
- Enter your email address when prompted
- Click Request Access
- Complete the authentication flow
Troubleshooting
| Issue | Possible Cause | Solution |
|---|---|---|
| User not redirected to IdP | SSO profile not assigned | Verify the user’s organizational unit has the SSO profile assigned |
| SAML assertion invalid | Certificate mismatch | Re-download the certificate from SplitSecure and re-upload to Google |
| User receives “Account not found” | Email mismatch | Ensure the SAML assertion email matches the Google Workspace email exactly |
| SSO works for some users but not others | Partial OU assignment | Check that all intended organizational units/groups have the profile assigned |
| “Sign in with Google” shown instead of SSO | Direct Google service access | Ensure sign-in option is set to redirect to IdP |
External Resources
- About SSO — SSO overview and concepts
- Setting up SSO — Step-by-step setup guide
- Super Administrator SSO — Super admin bypass behavior