Manage enterprise connections
Auth and access
You can set up SAML to work with your Google Workspace.
Google does not support hosting your SAML metadata XML file on their web services, but Kinde requires access to the file via URL so that certificates are always up to date. We recommend you host the file on a public web service that can be accessed by Kinde. For example, you could use an AWS S3 bucket, Cloudflare R2, or public website.
Depending on your SAML set up, you may need to include advanced configurations for your connection. See Advanced SAML configurations.
You can make a connection available only to a specific organization, or you can create it so it can be used across any organization in your business.
Enter the Connection name. This name is what will appear on the button on the authentication screen. We will call it ‘Google Workspace’ for this example.
Enter an Entity ID. This field can be any mix of numbers and letters, as long as it matches your IdP configuration. Copy this somewhere you can access it later.
If you are adding this connection to a live environment, you will be prompted to enter an IdP Metadata URL before you can save. If you are not sure of the file location, enter any URL and we will update this later.
Enter a sign in URL if your IdP requires a specific URL.
If you want, select the Sign request algorithm and Protocol binding. The options you choose will depend on what your identity provider prefers or requires.
Select a Name ID format. This helps identify and link user identities between your IdP and Kinde.
Enter an Email key attribute. This is the attribute in the SAML token that contains the user’s email. Setting this value ensures that the email address returned in the SAML response is correctly retrieved. We do not recommend leaving this field blank, but if you do we will set ‘email’ as the attribute.
(Optional) Add a first name and last name key attribute.
Enter any relevant Home realm domains. This is how SAML recognizes a user’s credentials and routes them to the correct sign in page. Note that home realm domains need to be unique across all connections in an environment. Read more about home realm domains.
If you use home realm domains, the sign in button is hidden on the auth screen by default. To show the SSO button, select the Always show sign-in button option.
Copy the reply relevant URL:
If you want to enable just-in-time (JIT) provisioning for users, select the Create a user record in Kinde option. This saves time adding users manually or via API later.
(Temporary feature) Select if you want to treat this connection as a trusted provider. A trusted provider is one that guarantees the email they issue is verified.
(Optional) In the Sign SAML request section, paste in the Signed certificate and Private key. You may have got these from your IdP or you may have generated yourself (see procedure above).
Enter any upstream params that you want to pass to the identity provider. Not all providers support this, so check their documentation first.
Select Save.
Complete the App details window:
Copy the Google Identity Provider details by selecting DOWNLOAD METADATA under Option 1. This is the file you will need to upload to a file storage location and provide a URL to finish setting up in Kinde.
Select Continue.
As mentioned at the start, you need to upload the metadata file that you downloaded, to somewhere publicly accessible. This is because Google does not provide a publicly available URL for the metadata file.
Once you have completed the above steps, you should be able to see a Google Workspace sign-in button on your product’s authentication screen. Note: if you gave the enterprise connection a different name in Kinde, the button will have the name you entered.
If you can’t see the button:
Try to sign in and hopefully - success!!