Google Workspace SAML Configuration

This article will help you on how to integrate Google Workspace into Safous ZTNA service as the external Identity Provider for authentication. Before continuing the steps in this article, please ensure you already have:

  • Know the basic information about Safous ZTNA SAML configuration in here.
  • Have account in Google Workspace with Admin privilege



The steps need to applied in both ends (Google and Safous), so ensure you are already logged-in on both admin portal page and proceed with following these steps:

  1. Login to your Google Workspace portal
  2. Go to Apps > Web and mobile apps

  3. Click on Add app and choose Add custom SAML app
  4. Input the App name, which is the required value. You also can add detail description and changed the app icon if you want. Then click Continue
  5. It will open the detail about IdP metadata that provided by Google Workspace
  6. login to
  7. Go to Settings tab> ZTNA
  8. In Configurations, choose Identity Provider
  9. It will open the list of identity providers that have been integrated, by default it only has local 
  10. Click on New IDP, which it will expand the form of IDP
  11. Input the name and ensure the status is enable (green)
  12. Ensure you are choosing the SAML for the identity provider setting
  13. Input Entity Issuer with name that will be used in Google Workspace later on
  14. Input SSO Issuer with the value of Entity ID that you can find in steps number 5
  15. Input SSO URL with he value of SSO URL that you can find in steps number 5
  16. Input email as a value in Username Attribute field
  17. Input email as a value in Email Attribute field
  18. Input CA TrustedCertificate field with Certificate that you can find in steps number 5
  19. The rest of Safous ZTNA SAML configuration please refer to here.
  20. Once you done with the configuration, click "Save"
  21. Once saved, you need to expand the IdP to get the Redirect URI

  22. Go back Google Workspace, then click Continue

  23. Fill value of ACS URL with the value from Redirect URI in step number 21
  24. Fill value of Entity ID with the value of Entity Issuer in step number 13
  25. Change the Name ID Format into "EMAIL"
  26. Click Continue

  27. Add Mapping in the Attribute

  28. For Google Directory Attribute, choose "Primary email"
  29.  For App attributetype "email"
  30. Click FINISH

  31. Once created, it will redirect you to the App page that you created, in User access click "Expand user access"
  32. It will redirect you to another page setting of App that you created, ensure to choose ON for everyone and then click "SAVE"
  33. If everything correctly configured, you can login to the user portal https://users.<xxxx> and check "With IdP", which you will see your SAML configuration