Google does not support hosting your SAML metadata XML file on their web services, but Kinde requires access to the file via URL so that certificates are always up to date. We recommend you host the file on a public web service that can be accessed by Kinde. For example, you could use an AWS S3 bucket, Cloudflare R2, or public website.
Scroll down to Enterprise Connections and select Add connection.
Select Google Workspace and then select Save.
On the Google Workspace tile, select Configure.
In the dialog that appears:
Enter the Connection name. This name is what will appear on the button on the authentication screen. We will call it ‘Google Workspace’ for this example.
Enter an Entity ID. This field can be any mix of numbers and letters, as long as it matches your IdP configuration. Copy this somewhere you can access it later.
If you are adding this connection to a live environment, you will be prompted to enter an IdP Metadata URL before you can save. If you are not sure of the file location, enter any URL and we will update this later.
Scroll down and copy the ACS URL. Paste the URL somewhere you can access it later.
Select Save. We will need to get some information from Google Workspace Console to complete these fields.
In the main menu, go to Apps > Web and Mobile Apps.
Select Add App > Add custom SAML app.
Complete the App details window:
Enter a name in the App name field.
Enter a Description for the app.
If you want, upload an icon for the app.
Select Continue.
Copy the Google Identity Provider details by selecting DOWNLOAD METADATA under Option 1. This is the file you will need to upload to a file storage location and provide a URL to finish setting up in Kinde.
Select Continue.
Enter the Service provider details:
Enter or paste in the ACS URL you copied from Kinde earlier.
Enter or paste the Entity ID, this needs to match what was entered in Kinde earlier.
Set the Name ID format as EMAIL.
Select Continue.
On the Attribute mapping page, select Finish.
If you want to grant access to other users, select the chevron in the right corner of the User access panel. This opens additional options.
If you want, you can change the access to suit your organization’s needs. You can do this per Organizational unit or switch ON for everyone.
As mentioned at the start, you need to upload the metadata file that you downloaded, to somewhere publicly accessible. This is because Google does not provide a publicly available URL for the metadata file.
Upload the metadata file to your storage location.
Once you have completed the above steps, you should be able to see a Google Workspace sign-in button on your product’s authentication screen. Note: if you gave the enterprise connection a different name in Kinde, the button will have the name you entered.
If you can’t see the button:
Check that the metadata URL and other connection details are correct in Kinde.
Check that user access is set up in your app, in the Google Workspace Console.