Google provides G-Suite customers with the ability to sign into their Google accounts using a SAML identity provider. This document covers the configuration necessary to get Google working with FusionAuth as the identity provider via SAML v2.

This document covers configuration for FusionAuth’s SAML v2 identity provider, where FusionAuth is the system of record for users, and other applications federate with FusionAuth.

If, on the other hand, you are looking for instructions on setting up FusionAuth as a SAML v2 service provider (i.e. you want to allow users to log into either FusionAuth’s UI or your applications via a third party SAML v2 identity provider), consult the SAML v2 Identity Provider documentation.

A bit confusing, we know. But in FusionAuth, Identity Providers are third party sources of record for user data.

Configure an application

The first step is to setup a new application for Google to connect to. This application can be named anything you want.

Under the SAML tab on the configuration page, you will need to specify these values:

In a new browser tab, open Google’s website and navigate to the Admin section. From here, click on the Security settings.

Google Security settings

On the Security settings page, scroll down and open the Set up single sign-on section.

Now you will copy and paste the URLs from the application view dialog in FusionAuth. Here’s what the application view dialog looks like:

Application view dialog

Scroll down to the SAML v2 Integration details section; here are the settings you need to copy and paste:

Next, you need to download the certificate file from FusionAuth and upload it to Google. In FusionAuth, go to KeyMaster under Settings in the left menu. Regardless of whether you created a key here or had FusionAuth generate one for you when you create the application, your key will appear in this list. Click the download icon for the key your application is using for SAML. This will download a ZIP file to your computer. Extract this ZIP file somewhere on you computer. This will create a directory named keys. Inside this directory will be a file named certificate.crt. You will need to upload this file to the Google security form under the Verification Certificate field.

Here is what the Google Security single sign-on form should look like once you have filled it all out properly:

Google single sign-on form

Save this configuration in Google and you should be all set. One thing to keep in mind is that Google does not use the SAML identity provider for admin accounts. Only standard user accounts will login with FusionAuth in this way.