Enabling SAML SSO in Salesforce with G Suite as IdP

Suddenly, here’s how to integrate G Suite and Salesforce with SAML.

Both G Suite and Salesforce come standard with SSO (Single Sign-On) integration with SAML, and both can take on the role of IdP (Authentication Provider). The official document [Ref 1] was not quite clear enough for me to consider setting this up, so I’d like to take a closer look at it with some screenshots.

Pre-conditions.

G Suite’s pre-requisites are as follows

  • Have privileged administrator rights

Salesforce’s pre-requisites are as follows

  • You have system administrator privileges
  • I have a custom domain (xxx.my.salesforce.com) set up

In this example, we will be federating a G Suite organization created during the Google Apps Standard free era with a Salesforce Developer Edition organization.

1. Get G Suite information.

1-1. go to https://admin.google.com/<DOMAIN>.com and login.

{

G Suite Administration Console

Go to Security -> Single Sign-On (SSO) Settings.

{

Configuring Single Sign-On (SSO)

Click the “Download Certificate” button to download the certificate. Also click the Download IDP Metadata button to download the Metadata XML. 1-4.

Leave this page as it is and log in to Salesforce in another tab.

2. Activate Salesforce

2-1. select ID -> Single Sign-on Settings from the settings.

{

Single sign-on setting

Press the [Edit] button, enter :white_check_mark: in the [Enable SAML] field, and press the [Save] button.

Press the [New from Metadata File] button in the [SAML Single Sign-On Settings] pane. For the metadata file, specify the IDP metadata XML file from step 1-3.

Single sign-on configuration

2-4. enter the following (only name and ID provider’s certificate are required, the others are already filled in from the uploaded metadata):

| what you want to enter | example | Your family is going to be able to enjoy the fruits of your labor. | If you want to use it, you can use it in the following ways: - Name - Where appropriate (as the name of the button or setting for authentication) - G Suite | API Reference Name | (auto-completion after name input) | G_Suite | Entity ID value in step 1-4: https://accounts.google.com/o/saml2?idpid=xxx | Attorney:' | entity ID | Salesforce Organization URL | https://mikan-dev-ed.my.salesforce.com| | If you have a certificate from your identity provider, you can download the certificate you downloaded in step 1-4 | Certificate Signing Request | (default value) | Signature request method | RSA-SHA256 | assertion decryption certificate | no assertion encryption | (default value) | | (default value) | The location of the SAML ID | The ID is in the NameIdentifier element of the Subject statement | Bind the service provider's invocation request | Select "Redirect | If you want to use the following URLs, please use the following URLs:ID provider login URLs` | the URL of SSO in step 1-4 | (empty) | | (empty) | (empty) | | | (empty) | (default value) | | (default value) | (default value) | | (default value)

Click the Save button to display the configuration information. Leave the tabs untouched for later use of the information in the Endpoints pane at the bottom.

3. IdP Settings for G Suite

Go back to the top of the management console and select [Apps].

{

App settings

3-2. select [SAML app].

{

App > SAML app

Select Add Service or App to Domain, or press the + button in the lower right corner.

Enable SSO in SAML applications

Select [Salesforce] to see the same information as in steps 1-4, then confirm and select Next. 3-5.

Select Next. 3-5 The application name is set to Salesforce and the application ID is set to salesforce. Select Next. 3-6.

Please enter the following information: Salesforce, salesforce and salesforce:

What to enterExample
ACS URLThe value of login URL' in step 2-5 | https://mikan-dev-ed.my.salesforce.com?so=xxx`
entity IDURL of your Salesforce organization (domain)https://mikan-dev-ed.my.salesforce.com
The URL of your Salesforce organization (domain)https://mikan-dev-ed.my.salesforce.com
:white_large_square: (invalid)
name ID formatUNSPECIFIED

If you choose Next, the wizard is complete, but it is not yet activated. Press [OK] for now.

Salesforce SSO configuration

Press the menu icon at the top right of the Salesforce Settings pane and select On (all users). If you have multiple organizations and you want to enable them individually, you can turn on [Turn on for some organizations].

Apps > SAML apps > Salesforce settings

4. Enable Salesforce Authentication

4-1 In the Settings, select [Company Settings] -> [My Domain]. 4-2.

4-2 In the Authentication Settings pane at the bottom, press the [Edit] button (it will take you to Classic).

{

Authentication Settings

G Suite] appears in the Authentication Service (the name you set in step 2-4). Insert :white_check_mark: and save it.

Login now!

When you go to your Salesforce organization’s login page (https://mikan-dev-ed.my.salesforce.com/ in the example)…

{

Login screen

“Or use the following to log in:” appeared and [G Suite] came up (the name you set up in steps 2-4). When you click on this, you will be taken to Google’s authentication screen.

Have you logged in? Congratulations:tada: Once you’ve gone through one, you can also set up things like user provisioning [ref 2]. Once set up, when you create or change users in G Suite, you will be able to link them to Salesforce. You need to pay attention to the license (number of users) on both sides, but if you are operating on a certain scale, this is essential to improve business efficiency. Please consider it.

References

  1. Salesforce Cloud Applications - G Suite Administrator Help
  2. set up Salesforce user provisioning - G Suite Administrator Help](https://support.google.com/a/answer/6294811)