implementing-google-workspace-sso-configuration
Configure SAML 2.0 single sign-on for Google Workspace with a third-party identity provider, enabling centralized authentication and enforcing organization-wide access policies.
Best use case
implementing-google-workspace-sso-configuration is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Configure SAML 2.0 single sign-on for Google Workspace with a third-party identity provider, enabling centralized authentication and enforcing organization-wide access policies.
Teams using implementing-google-workspace-sso-configuration should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/implementing-google-workspace-sso-configuration/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How implementing-google-workspace-sso-configuration Compares
| Feature / Agent | implementing-google-workspace-sso-configuration | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Configure SAML 2.0 single sign-on for Google Workspace with a third-party identity provider, enabling centralized authentication and enforcing organization-wide access policies.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Implementing Google Workspace SSO Configuration
## Overview
Single Sign-On (SSO) for Google Workspace allows organizations to authenticate users through their existing identity provider (IdP) such as Okta, Azure AD (Microsoft Entra ID), or ADFS, rather than managing separate Google passwords. This is implemented using SAML 2.0 protocol where Google Workspace acts as the Service Provider (SP) and the organization's IdP handles authentication. SSO centralizes credential management, enforces MFA policies at the IdP, and enables immediate access revocation when users leave the organization.
## When to Use
- When deploying or configuring implementing google workspace sso configuration capabilities in your environment
- When establishing security controls aligned to compliance requirements
- When building or improving security architecture for this domain
- When conducting security assessments that require this implementation
## Prerequisites
- Google Workspace Business, Enterprise, or Education edition
- Super Admin access to Google Admin Console
- Identity Provider with SAML 2.0 support (Okta, Azure AD, ADFS, Ping Identity)
- IdP signing certificate (X.509 PEM format, RSA or DSA)
- DNS verification for the Google Workspace domain
## Core Concepts
### SAML 2.0 SSO Flow
```
User navigates to Google Workspace app (Gmail, Drive, etc.)
│
├── Google checks: Is SSO configured for this domain?
│
├── YES → Redirect user to IdP Sign-In Page URL
│ (SAML AuthnRequest sent via browser redirect)
│
├── User authenticates at IdP (credentials + MFA)
│
├── IdP generates SAML Response with signed assertion
│
├── Browser POSTs SAML Response to Google ACS URL:
│ https://www.google.com/a/{domain}/acs
│
├── Google validates SAML signature against uploaded certificate
│
└── User is granted access to Google Workspace
```
### Key SAML Parameters
| Parameter | Value |
|-----------|-------|
| ACS URL | `https://www.google.com/a/{your-domain}/acs` |
| Entity ID | `google.com/a/{your-domain}` or `google.com` |
| NameID Format | `urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress` |
| NameID Value | User's primary Google Workspace email |
| Binding | HTTP-POST (for ACS), HTTP-Redirect (for SSO URL) |
## Workflow
### Step 1: Prepare the Identity Provider
**For Okta:**
1. Navigate to Applications > Add Application > Search "Google Workspace"
2. Configure the Google Workspace app with your domain
3. Assign users/groups to the application
4. Download the IdP metadata or note: SSO URL, Entity ID, Certificate
**For Azure AD (Microsoft Entra ID):**
1. Navigate to Enterprise Applications > New Application > Google Cloud/Workspace
2. Configure Single sign-on > SAML
3. Set Basic SAML Configuration:
- Identifier (Entity ID): `google.com`
- Reply URL (ACS): `https://www.google.com/a/{your-domain}/acs`
- Sign on URL: `https://www.google.com/a/{your-domain}/ServiceLogin`
4. Download Federation Metadata XML or Certificate (Base64)
**For ADFS:**
1. Add Relying Party Trust using federation metadata
2. Configure claim rules to pass NameID as email address
3. Export the token-signing certificate
### Step 2: Configure Google Workspace SSO
1. Sign in to Google Admin Console (admin.google.com) as Super Admin
2. Navigate to Security > Authentication > SSO with third-party IdP
3. Click "Add SSO profile" or configure the default profile
**Third-Party SSO Profile Settings:**
| Setting | Value |
|---------|-------|
| Set up SSO with third-party IdP | Enabled |
| Sign-in page URL | IdP's SAML SSO endpoint (e.g., `https://idp.example.com/sso/saml`) |
| Sign-out page URL | IdP's logout URL (e.g., `https://idp.example.com/slo`) |
| Change password URL | IdP's password change URL |
| Verification certificate | Upload IdP's X.509 signing certificate |
| Use a domain-specific issuer | Enabled (uses `google.com/a/{domain}` as entity ID) |
### Step 3: Assign SSO Profile to Users
SSO profiles can be applied at different scopes:
```
Organization-wide (all users)
│
├── Org Unit level (specific departments)
│ ├── Engineering OU → SSO via Okta
│ ├── Marketing OU → SSO via Azure AD
│ └── Contractors OU → SSO via specific IdP
│
└── Group level (specific security groups)
└── VPN Users → SSO with additional MFA
```
1. Navigate to Security > Authentication > SSO with third-party IdP
2. Select the SSO profile to assign
3. Choose organizational units or groups
4. Save and wait for propagation (up to 24 hours, typically minutes)
### Step 4: Configure Network Masks (Optional)
Network masks control when SSO is enforced based on the user's IP:
- If the user's IP matches a network mask, they use Google's sign-in page
- If the user's IP does NOT match, they are redirected to the IdP
This is useful for allowing direct Google login from corporate network while enforcing SSO for external access.
### Step 5: Test SSO
1. Open an incognito browser window
2. Navigate to `https://mail.google.com/a/{your-domain}`
3. Verify redirect to IdP sign-in page
4. Authenticate at the IdP
5. Verify successful redirect back to Google Workspace
6. Test sign-out flow redirects to IdP logout page
7. Test with user not assigned in IdP (should fail)
## Validation Checklist
- [ ] IdP SAML application configured with correct ACS URL and Entity ID
- [ ] IdP signing certificate uploaded to Google Admin Console
- [ ] SSO profile assigned to target organizational units/groups
- [ ] SAML assertion includes correct NameID (email format)
- [ ] MFA enforced at IdP for all Google Workspace users
- [ ] Sign-out URL configured to terminate IdP session
- [ ] Network masks configured if internal/external access differs
- [ ] Break-glass Super Admin accounts bypass SSO (use Google auth)
- [ ] SSO tested with multiple user types (admin, standard, contractor)
- [ ] SAML response signature validated successfully
- [ ] Error handling tested (expired cert, invalid user, clock skew)
## References
- [Google Workspace SSO Configuration Guide](https://support.google.com/a/answer/12032922)
- [Set Up Custom SAML App - Google](https://support.google.com/a/answer/6087519)
- [Okta Google Workspace SAML Guide](https://saml-doc.okta.com/SAML_Docs/How-to-Enable-SAML-2.0-in-Google-Apps.html)
- [SAML 2.0 Technical Overview - OASIS](https://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html)Related Skills
workspace-unified
Unified Google Workspace management via WorkspaceACSet. Transforms operations into GF(3)-typed Interactions across Gmail, Drive, Calendar, Tasks, Docs with cross-skill morphisms and MCP↔API equivalence. Use for multi-service workflows or applying ACSet principles to workspace automation.
testing-cors-misconfiguration
Identifying and exploiting Cross-Origin Resource Sharing misconfigurations that allow unauthorized cross-domain data access and credential theft during security assessments.
remediating-s3-bucket-misconfiguration
This skill provides step-by-step procedures for identifying and remediating Amazon S3 bucket misconfigurations that expose sensitive data to unauthorized access. It covers enabling S3 Block Public Access at account and bucket levels, auditing bucket policies and ACLs, enforcing encryption, configuring access logging, and deploying automated remediation using AWS Config and Lambda.
performing-ssl-tls-inspection-configuration
Configure SSL/TLS inspection on network security devices to decrypt, inspect, and re-encrypt HTTPS traffic for threat detection while managing certificates, exemptions, and privacy compliance.
implementing-zero-trust-with-hashicorp-boundary
Implement HashiCorp Boundary for identity-aware zero trust infrastructure access management with dynamic credential brokering, session recording, and Vault integration.
implementing-zero-trust-with-beyondcorp
Deploy Google BeyondCorp Enterprise zero trust access controls using Identity-Aware Proxy (IAP), context-aware access policies, device trust validation, and Access Context Manager to enforce identity and posture-based access to GCP resources and internal applications.
implementing-zero-trust-network-access
Implementing Zero Trust Network Access (ZTNA) in cloud environments by configuring identity-aware proxies, micro-segmentation, continuous verification with conditional access policies, and replacing traditional VPN-based access with BeyondCorp-style architectures across AWS, Azure, and GCP.
implementing-zero-trust-for-saas-applications
Implementing zero trust access controls for SaaS applications using CASB, SSPM, conditional access policies, OAuth app governance, and session controls to enforce identity verification, device compliance, and data protection for cloud-hosted services.
implementing-zero-trust-dns-with-nextdns
Implement NextDNS as a zero trust DNS filtering layer with encrypted resolution, threat intelligence blocking, privacy protection, and organizational policy enforcement across all endpoints.
implementing-zero-standing-privilege-with-cyberark
Deploy CyberArk Secure Cloud Access to eliminate standing privileges in hybrid and multi-cloud environments using just-in-time access with time, entitlement, and approval controls.
implementing-zero-knowledge-proof-for-authentication
Zero-Knowledge Proofs (ZKPs) allow a prover to demonstrate knowledge of a secret (such as a password or private key) without revealing the secret itself. This skill implements the Schnorr identificati
implementing-web-application-logging-with-modsecurity
Configure ModSecurity WAF with OWASP Core Rule Set (CRS) for web application logging, tune rules to reduce false positives, analyze audit logs for attack detection, and implement custom SecRules for application-specific threats. The analyst configures SecRuleEngine, SecAuditEngine, and CRS paranoia levels to balance security coverage with operational stability. Activates for requests involving WAF configuration, ModSecurity rule tuning, web application audit logging, or CRS deployment.