Google Workspace SAML Integration Guide

  • Published on Feb 9, 2026
  • 3 minute(s) read
  • e
  • Danny Hanes
 Prev Next

This guide walks through configuring Beyond Identity as a third-party Identity Provider (IdP) for Google Workspace using Security Assertion Markup Language (SAML 2.0).

Prerequisites

  • Google Workspace admin access (Super Admin recommended)
  • Beyond Identity admin console access
  • Users provisioned in both systems with matching email addresses

Part 1: Create a Security Group in Google Workspace

Before enabling SSO, create a security group to control which users authenticate via Beyond Identity.

  1. Sign in to Google Admin Console
  2. Navigate to Directory → Groups
  3. Click Create group
  4. Configure the group:
    • Name: Beyond Identity SSO Users (or your preferred name)
    • Description: Users who authenticate via Beyond Identity
    • Group email: Choose an appropriate address
  5. Set Who can join the group to Only invited users
  6. Click Create group
  7. Add members:
    • Open the newly created group
    • Click Members → Add members
    • Add users who should authenticate via Beyond Identity

Note: Start with a small pilot group before rolling out to all users.

Part 2: Create SAML Profile in Google (Get ACS URL & Entity ID)

Create the SAML profile in Google first to obtain the ACS URL and SP Entity ID needed for Beyond Identity.

  1. Sign in to Google Admin Console
  2. Navigate to Security → Authentication → SSO with third party IdP
  3. Click ADD SAML PROFILE (top right)
  4. Enter only the SSO profile name: Beyond Identity
  5. Under Autofill email, select Don't use login hints
  6. Click Save
  7. Click on the Beyond Identity profile you just created
  8. Google now displays the Service provider (SP) details:
    • Entity ID
    • ACS URL
  9. Copy both values — you'll need these for Beyond Identity

Important: The ACS URL contains your organization-specific identifier. Copy it precisely as shown.

Part 3: Configure SAML Application in Beyond Identity

Create a SAML application in Beyond Identity using the ACS URL and Entity ID from Google.

  1. Sign in to the Beyond Identity Admin Console
  2. Navigate to Integrations in the left sidebar
  3. Select the SAML tab
  4. Click to add a new SAML connection
  5. Configure all fields as follows:
Field Value Notes
Import SP Metadata File (Optional) Skip You can upload Google's SP metadata XML if available, otherwise configure manually
Name Google Workspace Display name for this integration
SP Single Sign On URL <ACS URL from Google in Part 2> The URL Google provided after saving the SAML profile
SP Audience URI <Entity ID from Google in Part 2> The Entity ID Google provided after saving the SAML profile
Name ID Format unspecified Default value; Google accepts this format
Subject User Attribute UserName Default value; maps the user identifier
Request Binding http redirect Default value; how SAML requests are sent
Authentication Context Class X509 Default value; indicates certificate-based authentication
Signed Response SIGNED (enabled) Keep enabled for security
X509 Signing Certificate (Optional) Skip Only needed if Google requires signed requests
Encryption Certificate (Optional) Skip Only needed if Google requires encrypted assertions
  1. Click Save Changes
  2. After saving, Beyond Identity displays the connection in the list with these values. Copy:
    • IdP ID
    • IdP SSO URL
    • IdP Issuer
  3. Click the certificate icon to download the X.509 Certificate for upload to Google

Part 4: Complete SAML Profile in Google Workspace

Return to Google to add the Beyond Identity details to your SAML profile.

  1. In Google Admin Console, go to Security → Authentication → SSO with third party IdP
  2. Click on your Beyond Identity profile
  3. Under IDP details, click Add next to each field to enter the values:
Field Value
IDP entity ID <IdP ID from Beyond Identity>
Sign-in page URL <IdP SSO URL from Beyond Identity>
Sign-out page URL (Optional) <IdP Issuer from Beyond Identity>
Change password URL (Optional) Add if you have a self-service portal
  1. Under Verification certificate, click Upload certificate
  2. Upload the X.509 certificate downloaded from Beyond Identity
  3. Click Save

Part 5: Configure Attribute Mapping (If Required)

Google Workspace expects specific attributes in the SAML assertion.

Required Attributes

SAML Attribute Value Notes
NameID User's primary email Must match Google Workspace email

Optional Attributes

SAML Attribute Google Attribute Purpose
firstName first_name User's first name
lastName last_name User's last name

Configure these mappings in Beyond Identity under your SAML application's Attribute Statements section.

Part 6: Assign SSO Profile to Security Group

  1. In Google Admin Console, go to Security → Authentication → SSO with third party IdP
  2. Under Manage SSO profile assignments, click MANAGE
  3. Select Groups
  4. Assign the Beyond Identity SAML profile to your Beyond Identity SSO Users group
  5. Click Save

Part 7: Verification & Testing

Test the Integration

  1. Open a new incognito/private browser window
  2. Navigate to Google Workspace login
  3. Enter the email address of a user in the SSO security group
  4. You should be redirected to Beyond Identity for authentication
  5. Complete authentication via Beyond Identity
  6. Verify successful redirect back to Google Workspace
Related articles