Skip to main content

Set up SSO with Google Workspace (SAML 2.0)

Learn how to configure single sign-on (SSO) between Yokoy and Google Workspace using SAML 2.0.

Yokoy Team avatar
Written by Yokoy Team
Updated over a month ago

🌐 Web | 👤 Organization admin

To set up Yokoy to use Google Workspace with SAML 2.0, you need to configure both Yokoy and your Google Workspace configuration. Depending on the step, you may need to perform actions in Yokoy or in Google Workspace.

To set up SSO to allow users to sign into Yokoy with Google Workspace:

  1. Configure the domain(s) and set up authentication

  2. Copy SP entity ID and ACS URL in Yokoy

  3. Add Yokoy as a SAML app in Google Workspace

  4. Configure the SP entity ID and ACS URL

  5. Get OX509 certificate and OPost binding SSO URL

  6. Add certificate and IdP login URL in Yokoy

  7. Add a label for the SSO button

  8. Test the configuration

  9. Disable password authentication (optional)

Set up the domain(s) and authentication protocol

In Yokoy, go to Admin > Organization, Authentication tab.

🚧 Caution

Make sure the Authentication feature has been enabled for your organization. Otherwise, you won’t be able to see this tab.

Add your company’s domain by clicking +Add domain. Make sure to use the format yourcompany.com. Click Save. You can add multiple domains for your organization. For example, if your company has different domains for various countries, make sure to add them all here (i.e. company.it, company.ch, company.de).

Once you have added all domains, you can determine the desired authentication method. Click Add provider and select the SAML protocol.

Get SP entity ID and ACS URL

In this case, select SAML. When you select SAML, you can view:

  • SP entity ID

  • ACS URL

You need to copy these URLs by clicking the copy icon beside the field to configure Google Workspace to communicate with Yokoy as part of a service provider-initiated flow.

✏️ Note

If you want to set up an identity provider initiated flow, you need to contact Yokoy to set this up.

Create custom SAML app

Go to the Google Workspace admin app and click Apps > Web and mobile apps. Click Add app > Add custom SAML.

💡 Tip

For more information, see Set up your own custom SAML app - Google Workspace Admin Help.

Add the SP entity ID and ACS URL

In the Service Provider Details window, you need to add the information you copied from Yokoy:

Field

Description

ACS URL

Add the URL displayed in the ACS URL field.

Entity ID

Add the string displayed in the SP entity ID field.

💡 Tip

In the Name field, you can add a name e.g. “Yokoy” and add the respective icon (optional), then click Continue.

Download the IdP metadata

On the Google Identity Provider details page, copy the SSO URL and download the Certificate. The OPOST binding SSO URL and OX509 certificate are required by Yokoy.

For example, you can use the metadata file, which looks like this. You can identify the certificate itself by looking for the string IDPSSODescriptor.

💡 Tip
You can use any browser to open the XML metadata file and select the specific parts of the XML file you would need.

Configure certificate and IdP login URL in Yokoy

Paste the X509 Certificate in the Certificate field and the POST binding SSO URL in the IdP login URL field in Yokoy.

When pasting the certificate, make sure:

  • Only include text starting from the actual string.

  • DO NOT include XML brackets (e.g. </ds:X509 Certificate>)

  • There are no line breaks.

✏️ Note

The SSO URL doesn’t require any authentication and you can immediately see whether it’s valid by opening it in a browser. This can help to eliminate some issues resulting from incorrect configuration.

Add a button label for the SSO log-in button

Finally, you can add a label to the button that is displayed to the end user by entering it in Button text. The label is prefixed with Sign in with. For example, the text displayed is GSuite (SAML 2.0). Click Save.

Test the SSO configuration

Once you have finished the configuration, proceed with testing. Once you enter an email with the company’s domain, you see the SSO option. For example, you see an additional button above the password option: Sign in with GSuite (SAML 2.0).

You should set up a test user that you can use to test the full flow to ensure SSO is correctly configured. The test can include clicking on the SSO button. This can show if the application is configured correctly. If not, it may show errors like ”missing application“.

💡 Tip

If the button does not show, check:

  • environment: check that you have configured the correct environment (sandbox/production).

  • domain: Make sure the email domain is spelled correctly and matches the one configured.

Disable password authentication

Once you have verified that SSO has been set up correctly and users can log in via SSO, then password authentication can be disabled for the organization to prevent login issues. Although this step is recommended, you can choose to allow both authentication methods.

To do this, go to Admin > Organization, Authentication tab and turn off the Enable password toggle.

Did this answer your question?