Skip to content
Visit Kinde’s marketing website Kinde Docs
  • Auth and access
  • Enterprise connections

Custom SAML with Google Workspace

You can set up SAML to work with your Google Workspace.

Hosting the SAML metadata XML file

Link to this section

Google does not support hosting your SAML metadata XML file on their web services, but Kinde requires access to the file via URL so that certificates are always up to date. We recommend you host the file on a public web service that can be accessed by Kinde. For example, you could use an AWS S3 bucket, Cloudflare R2, or public website.

Step 1: Add Google Workspace SAML in Kinde

Link to this section

You can make a connection available only to a specific organization, or you can create it so it can be used across any organization in your business.

Add a connection for a specific organization

Link to this section
  1. Go to Organizations and open the organization.
  2. In the menu, select Authentication, then select Add connection.
  3. In the Add connection window, select New enterprise connection, then click Next.
  4. Select the connection type you want and then select Next.
  5. Next: ‘Step 2: Configure the connection’.

Add a connection that can be shared across multiple organizations

Link to this section
  1. Go to Settings > Environment > Authentication.
  2. Scroll to the Enterprise connection section and select Add connection. The Add connection window opens.
  3. Select the connection type you want and then select Save.
  4. On the tile for the new connection, select Configure.
  5. Next: ‘Step 2: Configure the connection’.

Step 2: Configure the connection

Link to this section

  1. Enter the Connection name. This name is what will appear on the button on the authentication screen. We will call it ‘Google Workspace’ for this example.

  2. Enter an Entity ID. This field can be any mix of numbers and letters, as long as it matches your IdP configuration. Copy this somewhere you can access it later.

  3. If you are adding this connection to a live environment, you will be prompted to enter an IdP Metadata URL before you can save. If you are not sure of the file location, enter any URL and we will update this later.

  4. Enter Home realm domains. This speeds up the sign in process for users of those domains. Note that all home realm domains must be unique across all connections in an environment. For more information about how, see Home realm domains or IdP discovery.

  5. If you use home realm domains, the sign in button is hidden on the auth screen by default. To show the SSO button, select the Always show sign-in button option.

  6. Scroll down and copy the ACS URL. Paste the URL somewhere you can access it later.

  7. Select provisioning options.

  8. Add a signed certificate and key if you have it. You can also do this later.

  9. Select Save. We need to get some information from Google Workspace Console to complete these fields.

Step 3: Configure Google Workspace Admin Console

Link to this section
  1. Sign in to your Google Workspace Admin Console.
  2. In the main menu, go to Apps > Web and Mobile Apps.
  3. Select Add App > Add custom SAML app.

  1. Complete the App details window:

    1. Enter a name in the App name field.
    2. Enter a Description for the app.
    3. If you want, upload an icon for the app.
    4. Select Continue.

  2. Copy the Google Identity Provider details by selecting DOWNLOAD METADATA under Option 1. This is the file you will need to upload to a file storage location and provide a URL to finish setting up in Kinde.

  3. Select Continue.

  1. Enter the Service provider details:
    1. Enter or paste in the ACS URL you copied from Kinde earlier.
    2. Enter or paste the Entity ID, this needs to match what was entered in Kinde earlier.
    3. Set the Name ID format as EMAIL.
    4. Select Continue.
  2. On the Attribute mapping page, select Finish.
  3. If you want to grant access to other users, select the chevron in the right corner of the User access panel. This opens additional options.

  1. If you want, you can change the access to suit your organization’s needs. You can do this per Organizational unit or switch ON for everyone.
  2. Select Save.

Step 4: Upload metadata file

Link to this section

As mentioned at the start, you need to upload the metadata file that you downloaded, to somewhere publicly accessible. This is because Google does not provide a publicly available URL for the metadata file.

  1. Upload the metadata file to your storage location.
  2. Copy the URL for the file.

Step 5: Complete Kinde configuration

Link to this section
  1. In Kinde, go to Settings > Authentication.
  2. Scroll down to Enterprise Connections.
  3. On the Google Workspace tile, select Configure.
  4. In the IdP metadata URL field, paste the URL for the metadata file.
  5. Switch on the connection. This will make it instantly available to users if this is your production environment.
    1. For environment-level connections, scroll down and select the apps that will use the auth method.
    2. For organization-level connections, scroll down and select if you want to switch this on for the org.
  6. Select Save.

Test the connection

Link to this section

Once you have completed the above steps, you should be able to see a Google Workspace sign-in button on your product’s authentication screen. Note: if you gave the enterprise connection a different name in Kinde, the button will have the name you entered.

If you can’t see the button:

  • Check that the metadata URL and other connection details are correct in Kinde.
  • Check that user access is set up in your app, in the Google Workspace Console.

Try to sign in and hopefully - success!!

Related articles

Useful links

  • Join the community

    Get support from the Kinde team and expert users in the Kinde community

    Join via Slack or Discord

  • Contact support

    Chat to support through the Kinde help widget, or send a question via email

    Send an email