What is SSO ??? How to implement SSO for Web SAML Applications

Single sign-on (SSO) lets users sign in to all their enterprise cloud applications using their managed Google account credentials. Google offers pre-integrated SSO with over 200 popular cloud applications.

To set up SAML-based SSO with a custom application, not in the pre-integrated catalog, follow the steps below.

Open your Google Admin Console


Select the “Security” option available in the Navigation panel which is available on the left side of the screen

Under “Authentication” select SSO with SAML Application and Get started 

 

Downloading metadata and sharing the same for uploading the details of the  APP






Set up your own custom SAML app


  1. In the Admin console, go to Menu > Apps > Web and mobile apps.
  2. Click Add App > Add custom SAML app.

On the App Details page:
    • Enter the name of the custom app.
    • (Optional) Upload an app icon. The app icon appears on the Web and mobile apps list, on the app settings page, and in the app launcher. If you don't upload an icon, an icon is created using the first two letters of the app name.

Click Continue
  • On the Google Identity Provider details page, get the setup information needed by the service provider using one of these options:
Download the IDP metadata.
    • Copy the SSO URL and Entity ID and download the Certificate (or SHA-256 fingerprint, if needed).

  1. (Optional) In a separate browser tab or window, sign in to your service provider and enter the information you copied in Step 4 into the appropriate SSO configuration page, then return to the Admin console.
  2. Click Continue.
  3. In the Service Provider Details window, enter:
    • ACS URL: The service provider's Assertion Consumer Service URL is responsible for receiving the SAML response and it must start with https://.
    • Entity ID: This is a globally unique name that the service provider gives you.
    • Start URL: (Optional) This is used to set the RelayState parameter in a SAML Request, which can be a URL to redirect to after authentication.
  4. The service provider supplies all these values.

(Optional) If your service provider requires the entire SAML authentication response to be signed, check the Signed Response box. If this is unchecked (the default), only the assertion within the response is signed. 

The default Name ID is the primary email. Multi-value input is not supported.
Tip: Check the setup articles in our SAML apps catalog for any Name ID mappings required for apps in the catalog. If needed, you can also create custom attributes, either in the Admin Console or via Google Admin SDK APIs, and map to those. You need to create custom attributes before setting up your SAML app.

Click Continue.

(Optional) On the Attribute mapping page, click Add another mapping to map additional attributes.
Note: You can define a maximum of 1500 attributes over all apps. Because each app has one default attribute, the total number includes the default attribute plus any custom attributes you add.

    • Under Google Directory attributes, click the Select field menu to choose a field name.
      Not all Google directory attributes are available in the drop-down list. If an attribute you want to map (for example, Manager's email) is not available, you can add that attribute as a custom attribute, which will make it available here for selection.
    • Under App attributes, enter the corresponding attribute for your custom SAML app.

(Optional) If you want to send a user’s group membership information in the SAML response, enter the group names that are relevant to this app in the Group membership field.
    • Under Google Groups, click on the Search for a group entry field.
    • Type one or more letters of the group name.
    • Choose the group name from the list.
    • Add additional groups as needed (total groups cannot exceed 75).
    • Under the App attribute, enter the service provider’s corresponding groups attribute name.

    Note: Regardless of how many group names you enter, the SAML response will only include groups that a user is a member of (directly or indirectly). For more information, see About group membership mapping.
    Click Finish.

Please find the support article to get further details on the same.