Enable SSO for Google Workspace

Overview

Enabling Single Sign-On (SSO) for Google Workspace allows organizations to authenticate users securely using a centralized identity provider (IdP) instead of managing multiple passwords. With SSO enabled, users can access Google Workspace services using their corporate credentials while administrators retain full control over authentication, access policies, and security enforcement.

Zaperon’s SSO integration with Google Workspace uses SAML 2.0, ensuring secure, standards-based authentication that scales across users, devices, and locations.

This setup helps organizations:

Reduce password fatigue and credential reuse.
Centralize authentication and access control.
Improve security posture with MFA and conditional access.
Simplify user onboarding and offboarding.
Maintain compliance with enterprise security requirements.

When Should You Enable Google Workspace SSO?

Enable SSO for Google Workspace if:

You want users to sign in using a single corporate identity.
You use Zaperon as your primary access and authentication layer.
You want to enforce MFA, device posture, or access policies before Google Workspace access.
You need centralized visibility and control over user authentication.

Prerequisites

Before enabling SSO, ensure the following:

Google Workspace Super Admin access.
Admin access to the Zaperon Admin Dashboard.
Users already created or provisioned in Zaperon.
Time synchronization enabled on both systems (to avoid SAML assertion errors).

Authentication Flow (How SSO Works)

A user attempts to access Google Workspace.
Google redirects the authentication request to Zaperon.
Zaperon verifies user identity, policies, and security posture.
Upon successful validation, the user is redirected back to Google Workspace.
Access is granted without requiring a separate Google password.

Steps to Enable SSO for Google Workspace

Note: The steps below remain unchanged and should be followed exactly as listed in your configuration guide.

A. Add Google Workspace (SSO) Application in Zaperon.

A.1 . In the Admin Dashboard, click Application >Add Application.

A.2. Click on Google Workspace from application catalog.

A.3. Enter details in SAML Settings and click Next.

A.4 . In Attribute Mapping tab, select in SAML Attribute Format value as Email Address and User Attribute value as Business Email for Name ID SAML Attribute and click Next. A new custom attribute can be created by clicking on Add Custom Attributes button.

A.5. In Event Tracking tab, click Add Resource to enable tracking of different events of applications. For more details on event tracking Refer to this section. and click Submit.

A.6 . In Single Sign-on Configuration popup will appear. Copy Sign-in URL, Sign-out URL and download certificate. These will be used later to configure admin console of Google Workspace. Follow instructions in section B.4.

A.7. You’ll see Google Workspace app has been added to application table.

B. Configure admin console of Google Workspace.

B.1. After logging to your Google Workspace admin console, go to Security >Authentication >SSO with Third-party IdP. Click Add SAML Profile to add Third-party SSO profile for your organization.

B.2. Enter SSO Profile name and click Save.

B.3 Then first copy ACS URL and paste in Single sign on (SSO) URL field and next copy IDP entity ID and paste in Issuer URL field of Zaperon admin console. Refer section A.3.

B.4 Enter IDP entity ID, then copy and paste Sign-in page URL & Sign-out page URL from section A.6. Also, upload certificate that was downloaded in section A.6. Click Save.

This will enable SSO for Google Workspace from Zaperon for the users in the organization. In case SSO is to be enabled only for few users, follow steps in section C.

C. Enable partial SSO in Google Workspace.

C.1. Go to Directory >Organizational Units and select Create organizational unit.

C.2. Enter name and description of the organizational unit and Click Create.

C.3. New Organizational Unit will appear in the list.

C.4. Go to Users and select users for whom you want to enable SSO. Change their organizational unit by clicking More options >Change organizational unit.

C.5. Select organizational unit in the popup and click Continue.

C.6. Confirm in the next popup by clicking Change.

C.7. Selected users have been assigned to the new organizational unit. You can check by clicking Users from selected organizational units and select the new organizational unit. You will see users added to this unit.

C.8. Go to Security >Authentication > SSO with third-party IdP. In the section Manage SSO profile assignments click MANAGE.

C.9. Select the new organizational unit from the menu and then select desired SSO Profile from the dropdown menu. Select option to have Google prompt for username and click Save.

Testing & Validation

After completing the configuration:

Test login with a non-admin user.
Verify both IDP-initiated and SP-initiated login flows.
Confirm successful access to Google Workspace apps.
Check authentication logs for validation events.

Always keep at least one admin account excluded from SSO enforcement for emergency access.

Manage Application

Once an application is added in Zaperon, you can manage it throughout its lifecycle without reconfiguring the integration.

Use the following options to update settings, control access, or remove the application when it is no longer required:

→ Refer to Edit an Application.

→ Refer to Enable application event tracking.

→ Refer to Delete an Application.

Summary

Zoho SSO allows organizations to authenticate users securely using Zoho credentials.

By enabling Zoho SSO, you centralize authentication, improve security, and simplify user access management.

This integration supports enterprise-grade authentication and helps ensure consistent login experiences across your organization.

Google Sites

Report abuse