Learning Center/OneLogin Documentation/Application Setup

Configuring SAML for Google Apps

Christian Pedersen
posted this on March 11, 2010 04:48 pm

Note that Google Apps disables SAML if you have checked Enable pre-release features under Domain Settings -> General.

To log users into Google Apps for Domains without having to provision them with passwords etc, you can use the SAML enabled Google Apps connector from OneLogin.

NOTE: Google Apps usernames are the email alias of users. Do not provide SAML access to your Google Apps account for other users than those on your domain. If you invite a user from another domain into your OneLogin account, you might accidently give that user access to Google Apps. 

Follow these step to configure Google Apps and OneLogin for SAML:

  1. Click here to download your certificate file
  2. Log in to the Google Apps Dashboard
  3. Click Advanced tools then Set up single sign-on (SSO)
  4. In the field Sign-in page URL, insert the value from the App page in OneLogin
  5. in the field Sign-out page URL, insert https://app.onelogin.com/client/apps
  6. In the field Change password URL, insert https://app.onelogin.com/password

    google_apps_saml_config.png
  7. Click Save changes
  8. In OneLogin, go to the dashboard and click Find apps
  9. Select the Google Apps connector
  10. Under Authentication method, click SAML
  11. In the Domain field, type the name of your Google Apps domain (e.g. 'mycompany.com')
  12. Click Update

POP3/IMAP Passwords

Once you enable SAML in Google Apps, users can no longer change the password their POP3/IMAP mail client uses to retrieve mail. Make sure you enter your administrator email and password when setting up the app, as this is required for users to set their mail client password via the dashboard. This is done by editing the Google Apps login and then selecting Change Password.

Please note:

  • The provisioning API must be enabled for your Google Apps account. 
  • The credentials used for changing passwords must be that of a Google Apps account Super Admin.
  • You must login to Google Apps as this user to accept the user agreement. 

Linking directly to Mail, Docs, Calendar and Sites

You can use regular bookmarks to jump directly to Mail, Docs, Calendar and Sites. See this tip for how.