Google Workspace SSO Setup
This guide walks through configuring SAML 2.0 single sign-on between Google Workspace and SyVault. You will need Google Workspace super admin access and SyVault Owner or Admin privileges.
Prerequisites
- SyVault organization on a Business or Enterprise plan
- Google Workspace account with super admin privileges
- Your SyVault organization slug (found in Admin Console > Settings)
Step 1: Create a Custom SAML Application
- Sign in to the Google Admin Console at admin.google.com.
- Navigate to Apps > Web and mobile apps.
- Click Add app > Add custom SAML app.
- Enter SyVault as the app name and optionally upload a logo.
- Click Continue.
Step 2: Download Google IdP Metadata
On the Google Identity Provider details page, you will see:
- SSO URL -- the Google SAML endpoint
- Entity ID -- Google's issuer identifier
- Certificate -- the X.509 signing certificate
Click Download Metadata to save the IdP metadata XML file. You will upload this to SyVault in Step 4. Click Continue.
Save the metadata XML file in a secure location. You will need it again if you ever need to reconfigure the SyVault side of the integration.
Step 3: Configure Service Provider Details
On the Service Provider Details page, enter:
| Field | Value |
|---|---|
| ACS URL | https://api.syvault.com/api/auth/saml/acs |
| Entity ID | syvault:<your-org-slug> (e.g., syvault:acme-corp) |
| Start URL | https://vault.syvault.com/login?sso=<your-org-slug> |
| Signed Response | Checked |
| Name ID Format | EMAIL |
| Name ID | Basic Information > Primary email |
Click Continue.
Step 4: Configure Attribute Mapping
Add the following attribute mappings:
| Google Directory Attribute | App Attribute |
|---|---|
| Primary email | email |
| First name | firstName |
| Last name | lastName |
Click Finish to create the application.
Step 5: Enable the Application for Users
By default, the new SAML app is OFF for everyone. You need to turn it on:
- On the SyVault app page in Google Admin, click User access.
- Select ON for everyone to enable for all users, or click an organizational unit to enable for specific groups.
- Click Save.
Changes to app access in Google Workspace can take up to 24 hours to propagate, though they typically take effect within minutes. Wait at least 15 minutes before testing if access was just enabled.
Step 6: Configure SyVault
- Open the SyVault Admin Console > SSO & SCIM > SAML SSO.
- Upload the IdP metadata XML file downloaded in Step 2.
- SyVault will extract the SSO URL, Entity ID, and X.509 certificate.
- Verify the extracted values and click Save Configuration.
Step 7: Test SSO Login
- In SyVault Admin Console, click Test Connection to perform a live SAML flow.
- Open an incognito browser window, navigate to the SyVault login page, click Login with SSO, and enter your organization slug.
- You should be redirected to Google's login page. Authenticate with your Google Workspace credentials.
- After successful authentication, you are returned to SyVault and prompted for your master password.
Troubleshooting
| Symptom | Likely Cause | Fix |
|---|---|---|
| "App is not configured for this user" | App not enabled for the user's OU | Enable the app for the correct organizational unit in Google Admin |
| "Invalid audience" | Entity ID mismatch | Verify the Entity ID in Google matches syvault:<org-slug> |
| "Signature validation failed" | Certificate mismatch | Re-download the metadata XML and re-upload to SyVault |
| 403 Forbidden after Google login | User not a SyVault member | Invite the user to SyVault or enable SCIM |
| Blank page after redirect | ACS URL wrong | Verify the ACS URL is exactly https://api.syvault.com/api/auth/saml/acs |
Google Workspace does not natively support SCIM provisioning for custom SAML apps. For automated user lifecycle management, consider using Google's Directory API with a middleware connector, or manage SyVault membership manually.