Google Workspace Legacy SAML Integration Guide
Suggest an editPrerequisites
- Super Administrator access to the Google Admin Console
- A SplitSecure Identity Provider created and approved
- The Security settings administrator privilege in Google Workspace
- A separate browser or browser profile with SplitSecure configured (for testing)
Google Workspace Configuration
1 Add a New Identity Provider
- Log in to the Google Admin Console
- Navigate to Security → Authentication → Single sign-on (SSO) with third-party identity providers (IDPs)
2 Access Legacy SSO Profile Settings
- In the Third-party SSO profiles section, click Add SAML profile
- At the bottom of the IdP details page, click Go to legacy SSO profile settings
- Check the Enable SSO with third-party identity provider box
3 Configure IdP Details
Gather the following values from SplitSecure before proceeding:
- In SplitSecure, go to Secure Accounts → SAML2 Identity Providers
- Click Details on the desired identity provider
- Note the values below and download the certificate
| Field | Value | Notes |
|---|---|---|
| Sign-in page URL | https://app.splitsecure.com/saml2/sp/login | SplitSecure SSO endpoint (must use HTTPS) |
| Sign-out page URL | https://app.splitsecure.com/saml2/sp/logout | SplitSecure logout endpoint (must use HTTPS) |
| Certificate | (Upload X.509 certificate) | Download from SplitSecure: Secure Accounts → SAML2 Identity Providers → [Your IdP] → Details → Download Certificate |
| Change password URL | https://app.splitsecure.com/saml2/sp/password-change | Where users go to reset their password |
- Click Upload certificate to upload the X.509 certificate from SplitSecure
- Check Use a domain specific issuer
- Click Save
The Legacy SSO profile will appear in the SSO profiles table.
4 Assign the SSO Profile to Users
- Navigate to Security → Authentication → SSO with third party IdP
- Click Manage SSO profile assignments
- Click Get started (first time) or Manage assignments
- Select the organizational unit or group to assign
- Under SSO profile assignment, choose Another SSO profile
- Select your newly created SplitSecure SAML profile from the dropdown
- Click Save
5 Create Administrator Account
- Navigate to Directory → Users
- Click Add new user
- Create a user, then click the newly created user
- Click Change organizational unit and add the user in the same Organizational unit selected in Step 4
- Click Admin roles and privileges and add Services Administrator
6 Configure Domain-specific Service URLs
- Navigate to Security → Authentication → Single sign-on (SSO) with third-party identity providers (IDPs)
- Click Domain-specific Service URLs
- Select Require users to enter their username on Google’s sign-in page first
SplitSecure Configuration
1 Create the Google Workspace Legacy Secure Account
- In SplitSecure, navigate to Secure Accounts → Create Account → Google Workspace Legacy
- Enter a name for your account
- Select the Identity Provider used in the Google Workspace configuration
- Enter the domain with your organization’s primary Google Workspace domain
- (Optional) Provide a default email address that will be proposed when prompted to authenticate
Test Authentication
Tip
Use a separate browser or browser profile with SplitSecure configured to test without affecting your current session.
1 Test Authentication (SP-Initiated)
- Navigate to a Google Workspace service (e.g., mail.google.com)
- Enter a user email address from your Google Workspace domain
- You should be redirected to SplitSecure for authentication
- Enter your email address when prompted
- Click Request Access
- Complete the authentication flow
Note
Super administrators bypass SSO by default for security. This is expected behavior.
Troubleshooting
| Issue | Possible Cause | Solution |
|---|---|---|
| User not redirected to IdP | SSO not enabled | Verify “Enable SSO with third-party identity provider” is checked |
| SAML assertion invalid | Certificate mismatch | Re-download the certificate from SplitSecure and re-upload to Google |
| User receives “Account not found” | Email mismatch | Ensure the SAML assertion email matches the Google Workspace email exactly |
| Entity ID mismatch error | Domain-specific issuer mismatch | Ensure SplitSecure Entity ID matches your domain-specific issuer setting |
| Super admin cannot use SSO | Expected behavior | Super administrators bypass SSO by default for security |
External Resources
- About SSO — SSO overview and concepts
- Setting up SSO — Step-by-step setup guide
- Super Administrator SSO — Super admin bypass behavior