Skip to content
  • Auth and access
  • Enterprise connections

Custom SAML with Google Workspace

You can set up SAML to work with your Google Workspace.

Hosting the SAML metadata XML file

Link to this section

Google does not support hosting your SAML metadata XML file on their web services, but Kinde requires access to the file via URL so that certificates are always up to date. We recommend you host the file on a public web service that can be accessed by Kinde. For example, you could use an AWS S3 bucket, Cloudflare R2, or public website.

Step 1: Add Google Workspace SAML in Kinde

Link to this section

💡 Sign in to both Kinde and the Google Workspace Admin Console in separate tabs or windows, so that you can switch back and forth.

  1. In Kinde, go to Settings > Authentication.
  2. Scroll down to Enterprise Connections and select Add connection.
  3. Select Custom SAML and then select Save.
  1. On the Custom SAML tile, select Configure.

  2. In the dialog that appears:

    1. Enter the Connection name. This name is what will appear on the button on the authentication screen. We will call it ‘Google Workspace’ for this example.
    2. Enter an Entity ID. This field can be any mix of numbers and letters, as long as it matches your IdP configuration. Copy this somewhere you can access it later.
    3. If you are adding this connection to a live environment, you will be prompted to enter an IdP Metadata URL before you can save. If you are not sure of the file location, enter any URL and we will update this later.
  3. Scroll down and copy the ACS URL. Paste the URL somewhere you can access it later.

  1. Select Save. We will need to get some information from Google Workspace Console to complete these fields.

Step 2: Configure Google Workspace Admin Console

Link to this section
  1. Sign in to your Google Workspace Admin Console.
  2. In the main menu, go to Apps > Web and Mobile Apps.
  3. Select Add App > Add custom SAML app.
  1. Complete the App details window:

    1. Enter a name in the App name field.
    2. Enter a Description for the app.
    3. If you want, upload an icon for the app.
    4. Select Continue.
  2. Copy the Google Identity Provider details by selecting DOWNLOAD METADATA under Option 1. This is the file you will need to upload to a file storage location and provide a URL to finish setting up in Kinde.

  3. Select Continue.

  1. Enter the Service provider details:
    1. Enter or paste in the ACS URL you copied from Kinde earlier.
    2. Enter or paste the Entity ID, this needs to match what was entered in Kinde earlier.
    3. Set the Name ID format as EMAIL.
    4. Select Continue.
  2. On the Attribute mapping page, select Finish.
  3. If you want to grant access to other users, select the chevron in the right corner of the User access panel. This opens additional options.
  1. If you want, you can change the access to suit your organization’s needs. You can do this per Organizational unit or switch ON for everyone.
  2. Select Save.

Step 3: Upload metadata file

Link to this section

As mentioned at the start, you need to upload the metadata file that you downloaded, to somewhere publicly accessible. This is because Google does not provide a publicly available URL for the metadata file.

  1. Upload the metadata file to your storage location.
  2. Copy the URL for the file.

Step 4: Complete Kinde configuration

Link to this section
  1. In Kinde, go to Settings > Authentication.
  2. Scroll down to Enterprise Connections.
  3. On the Google Workspace tile, select Configure.
  4. In the IdP metadata URL field, paste the URL for the metadata file.
  5. Select Save.

Test the connection

Link to this section

Once you have completed the above steps, you should be able to see a Google Workspace sign-in button on your product’s authentication screen. Note: if you gave the enterprise connection a different name in Kinde, the button will have the name you entered.

If you can’t see the button:

  • Check that the metadata URL and other connection details are correct in Kinde.
  • Check that user access is set up in your app, in the Google Workspace Console.

Try to sign in and hopefully - success!!

Delete an enterprise connection

Link to this section

⚠️ Before you delete a connection, make sure that there are no users relying on it for authentication. Once deleted, the sign in option becomes unavailable to users. This action can’t be reversed.

  1. In Kinde, go to Settings > Environment > Authentication.
  2. Scroll down to the Enterprise connections section and select the three dots on the tile for the connection, then select Delete connection.
  3. In the confirmation window, select Delete connection.