Documentation Index

Fetch the complete documentation index at: https://docs.document360.com/llms.txt

Use this file to discover all available pages before exploring further.

SAML SSO with Google

Prev Next

Google Workspace is an Identity Provider (IdP) that allows users to sign in to multiple applications using their Google credentials. With SAML SSO configured between Google Workspace and Document360, your team members and readers can access Document360 without needing a separate password.

NOTE

Only users with the Owner or Admin project role can configure SSO in Document360.

What you can do with Google Workspace as your IdP

Capability Supported
User (portal) authentication Yes
Reader (knowledge base site) authentication Yes
IdP-initiated sign-in Yes
SCIM provisioning No
SSO configuration inheritance (parent-child projects) Yes (SSO settings only, not SCIM)

NOTE

SCIM provisioning is not supported when Google Workspace is configured as your Identity Provider. User and reader management must be handled manually in Document360.


Before you begin

  • You have an active Google Workspace account with administrator access. If you need to create one, sign up at workspace.google.com.
  • You have Owner or Admin access in your Document360 project.
  • Open Document360 and Google Workspace in two separate browser tabs. You will need to switch between them multiple times during setup.

Step 1: Create a custom SAML app in Google Workspace

Add a custom SAML app

  1. On the Google Workspace admin console home page, click Apps and select SAML apps.
  2. Click Add app and in the dropdown, select Add custom SAML app.
  3. In App details, enter a name for your app and click Continue.

Note down the IdP details and download the certificate

  1. On the next page, you will find the SSO URL, Entity ID, and the Certificate. Make a note of these details — you will need them when configuring the Identity Provider in Document360.
  2. In the Certificate section, click the download icon to save the certificate in .pem format to your local storage. You will upload this certificate later in Document360.
41_Screenshot-Google-user-access-service-status

Enable the app for users

  1. In User access, the Service status is set to OFF for everyone by default.
  2. Change it to ON for everyone to allow users to authenticate using this app.
42_Screenshot-Google-user-access-changing-service-status

After completing the Google-side configuration, your SAML app will look like the following.

44-Screenshot_Replace_file_Google_SSO_SAML

Step 2: Configure SAML in Google Workspace using Document360 parameters

Get the Service Provider parameters from Document360

  1. In Document360, navigate to Settings () > Users & permissions > SSO Configuration.
  2. Click Create SSO.
Settings menu showing SSO configuration options and a button to create SSO.
  1. In the Choose your Identity Provider (IdP) page, select Google as the identity provider.
SSO configuration options with identity providers like Google and Okta displayed on the screen.
  1. From the Configure the Service Provider (SP) page, copy the following parameters.
Configuration settings for Google Identity with highlighted callback paths and service provider ID.

Enter the Document360 parameters in Google Workspace

  1. Switch to the Google Workspace tab and paste the Document360 parameters into the Google custom SAML app using the mapping below.
Google custom SAML app Document360
ACS URL Callback path
Entity ID Service provider entity ID
  1. In Name ID format, select EMAIL from the dropdown.
  2. In Name ID, select Basic Information > Primary email.
  3. Click Continue.

Add attribute mappings in Google Workspace

  1. Add and select user fields in Google Directory, then map them to service provider attributes using the table below.
Google Directory attributes App attributes
Primary email name
Primary email email
Primary email urn:oasis:names:tc:SAML:2.0:nameid
  1. Click Add Mapping each time you add an attribute.
  2. When done, click Finish.

Step 3: Complete the SSO configuration in Document360

Configure the Identity Provider in Document360

  1. Switch back to Document360 on the Configure the Service Provider (SP) page and click Next to navigate to the Configure the Identity Provider (IdP) page.
  2. The Configure an existing connection field allows you to inherit an SSO configuration that has already been created. By selecting this option, the current SSO configuration will be set as the child and no changes can be made to it. To know more about Inheritance.

NOTE

Once the SSO configuration is created with an inherited connection, the settings are inherited from the parent application and cannot be modified in the child application. SCIM settings cannot be inherited when Google is the IdP, even if the parent configuration has SCIM enabled.

  1. In the Configure the Identity Provider (IdP) page, add the information you noted from the Google custom SAML app page using the mapping below.
Document360 Google custom SAML app
Sign on URL SSO URL
Entity ID Entity ID
SAML certificate Certificate (upload the .pem file downloaded from Google)
  1. Turn the Allow IdP initiated sign in toggle on or off based on your project requirements.
Configuration settings for Single Sign-On, highlighting Identity Provider and SAML certificate options.
  1. Click Next to navigate to the SCIM provisioning page.

SCIM provisioning page

SCIM provisioning is not supported when Google is configured as your Identity Provider (IdP) in Document360.

SCIM provisioning settings for Google IdP with a warning about unsupported features.

This limitation applies in two scenarios:

  • When setting up a new Google IdP configuration.
  • When you have inherited an existing SSO configuration that uses Google as the IdP.

Click Next to navigate to More settings.


Step 4: More settings

Configure SSO name and login options

  1. In the SSO name field, enter a name for the SSO configuration.
  2. In Customize login button, enter the text you want displayed on the login button shown to users.
  3. Auto assign reader group — this option is only available for existing SSO configurations. For newly created SSO configurations, this toggle will not be displayed as SCIM automatically provisions users and groups. Learn more about Auto assign reader group.
  4. Choose whether to invite all users or selected users using the Convert existing user and reader accounts to SSO radio buttons.
Settings for creating a new SSO with highlighted fields for customization.
  1. Click Create to complete the SSO configuration setup.

The SSO configuration based on the SAML protocol has been configured using Google Workspace successfully.


Inherit from another application

When creating a new SSO configuration in Document360, you can inherit settings from an existing SSO connection. This simplifies the setup process, avoids repeating configuration steps, and helps administrators save time while ensuring consistency across integrations.

On the Configure Identity Provider (IdP) page, select the Configure an existing connection field and choose the parent SSO SCIM-enabled application you want to inherit from. Selecting this option designates the current project as the child project, inheriting all relevant properties from the parent.

Configuration settings for Identity Provider with selected connection details displayed prominently.

NOTE

Once the SSO configuration is created, the settings will be inherited from the parent application and cannot be modified in the child application.

Since SCIM provisioning does not support Google IdP configurations, SCIM settings from the parent project cannot be inherited.

SCIM provisioning warning for Google IdP in SSO configuration settings.

While other SSO configuration settings are inherited from the parent project, SCIM settings alone cannot be inherited.


Managing users in Google IdP

Since SCIM is not supported for Google IdP, users and readers must be managed manually in Document360.

To view readers added through your Google SAML app:

Overview of reader management settings, highlighting user accounts and permissions synchronization.
  1. In Document360, navigate to Settings > Users & permissions > Readers & groups.
  2. Select a reader to navigate to their reader profile.

Readers provisioned via SCIM will display an SSO-SCIM badge next to their name.

NOTE

When SCIM is enabled, editing a user's name or deleting a user directly in Document360 is disabled, as these actions must be managed through your IdP to keep both platforms in sync. You can only manage content access from Document360.

Manage content access of readers, users, and groups

The default content role assigned to any new user, reader, or group is based on what was configured during SCIM provisioning setup. Permissions will be set to None by default but can be updated at any time.

  1. Select the desired reader and click Manage Content Access.
  2. Choose the desired access level from the dropdown and click Update.
Editing reader account settings, including content access and associated groups options.

NOTE

You can also manage groups for a reader by clicking Manage groups under the Reader Group section.


Best practices

  • Enable the app for all users before testing SSO. The Google SAML app service status is OFF for everyone by default. Change it to ON for everyone before inviting users to log in with SSO.
  • Save the .pem certificate securely. Download and store the Google certificate before completing the configuration in Document360. You will not be prompted to download it again.
  • Use manual user management for Google IdP. Since SCIM is not supported, plan how you will add, update, and remove users in Document360 when using Google as your IdP.
  • Consider Okta or Entra if you need SCIM provisioning. If automated user lifecycle management is a requirement, configure SSO using Okta or Microsoft Entra as your identity provider instead.

FAQ

Why is SCIM provisioning not supported for Google IdP?

Document360's SCIM provisioning requires specific provisioning capabilities that Google Workspace does not support in the same way as Okta or Microsoft Entra. If you need automated user provisioning, consider configuring SSO using Okta or Microsoft Entra as your identity provider.

Can I inherit SCIM settings from a parent project when using Google as my IdP?

No. While other SSO configuration settings can be inherited from a parent project, SCIM settings cannot be inherited when Google is configured as the Identity Provider. This applies both to new configurations and to inherited configurations where the parent uses Google as the IdP.

What happens to existing Document360 users when I configure Google SSO?

Existing users are not automatically converted. During the More settings step, you can choose to invite all existing users or selected users to switch to SSO login. Users who are converted retain all their existing roles and permissions.