---
title: "SAML SSO with Google for your Knowledge base"
slug: "google-sso-saml-configuration"
description: "Configure Google as an IdP for your Single sign on SAML standard in your documentation site. When your reader log into google, they don't need to login again to Document360 "
tags: ["SAML"]
updated: 2026-03-27T11:39:10Z
published: 2026-03-28T09:30:03Z
---

> ## Documentation Index
> Fetch the complete documentation index at: https://docs.document360.com/llms.txt
> Use this file to discover all available pages before exploring further.

# SAML SSO with Google

Log in to your Document360 account and select the project for which you wish to configure **Google SAML Single Sign-On** with your **Google Workspace** account. Next, log in to your Google Workspace account. If you don’t have a Google Workspace account, you can create one at [https://workspace.google.com/.](https://workspace.google.com/.) Once you have logged in to your Google workplace account, navigate to the admin console using the **Admin** button at the top right. Please note that only users with **Owner** or **Admin**as **Project role** can configure SSO in Document360.

> [!TIP]
> ** PRO TIP
> 
> It is recommended to open **Document360**and **Google Workspace** in two separate tabs/browser windows, since configuring SSO in Document360 will require you to switch between Okta and Document360 multiple times.

---

## Adding a custom SAML app on Google

1. On the admin console home page, click on the **Apps** option and select the **SAML apps** option.
2. Click on **Add app** and in the dropdown, select **Add custom SAML app.**
3. In the **App details**, enter any name for your app and click on **Continue.**
4. Next, you will find the **SSO URL, Entity ID details**, and the **Certificate.**
5. Make a note of these details, since you will need them while accessing the **Configure the Identity Provider (IdP)**page on Document360.
6. In the Certificate section, click on the Download icon to save the certificate (.pem format) in your computer's local storage.
7. You will have to upload this certificate later in the **Configure the Identity Provider (IdP)**page in Document360.

![41_Screenshot-Google-user-access-service-status](https://cdn.document360.io/860f9f88-412e-4570-8222-d5bf2f4b7dd1/Images/Documentation/41_Screenshot-Google-user-access-service-status.jpg)

1. In **User access**, the **Service status** will by default be **OFF for everyone**. You must manually change it to **ON for everyone** to work.

![42_Screenshot-Google-user-access-changing-service-status](https://cdn.document360.io/860f9f88-412e-4570-8222-d5bf2f4b7dd1/Images/Documentation/42_Screenshot-Google-user-access-changing-service-status.jpg)

After configuring it on the Google side, here's how your SAML app would look.

![44-Screenshot_Replace_file_Google_SSO_SAML](https://cdn.document360.io/860f9f88-412e-4570-8222-d5bf2f4b7dd1/Images/Documentation/44-Screenshot_Replace_file_Google_SSO_SAML.jpg)

---

## Service Provider configuration

To configure Single Sign-On (SSO), you need **Service Provider (SP)** details such as ACS URL and entity ID. These details will be available in the **Create SSO**panel on **Document360**. To navigate to the **Create SSO** panel,

1. Go to **Settings** > **Users & permissions > SSO Configuration.**
2. Click the **Create SSO** button.

![Settings menu showing SSO configuration options and a button to create SSO.](https://cdn.document360.io/860f9f88-412e-4570-8222-d5bf2f4b7dd1/Images/Documentation/create sso(6).png)

1. In the **Choose your Identity Provider (IdP)** page, select **Google** as the identity provider.

![SSO configuration options with identity providers like Google and Okta displayed on the screen.](https://cdn.document360.io/860f9f88-412e-4570-8222-d5bf2f4b7dd1/Images/Documentation/okta eu(2).png)

1. Next, from the **Configure the Service Provider (SP)** page, copy the following parameters.

| Google custom SAML app | Document360 SSO SAML settings |
| --- | --- |
| ACS URL | Callback path |
| Entity ID | Service provider entity Id |

![Configuration settings for Google Identity with highlighted callback paths and service provider ID.](https://cdn.document360.io/860f9f88-412e-4570-8222-d5bf2f4b7dd1/Images/Documentation/sp(7).png)

1. Switch to the **Google workspace tab**and paste the parameters onto the Google custom SAML app page.
2. In **Name ID format** select **EMAIL** from the dropdown
3. In **Name ID** select **Basic Information > Primary email**
4. Click on the **Continue** button

### Attributes

1. Add and select user fields in Google Directory, then map them to service provider attributes. Add the following attributes.

| Google Directory attributes | App attributes |
| --- | --- |
| Primary email | name |
| Primary email | email |
| Primary email | urn:oasis:names:tc:SAML:2.0:nameid |

1. Click on the **Add Mapping** button each time you add an attribute, and when you're done, click on the **Finish** button.

---

## Configure the Identity Provider (IdP)

1. Switch back to the Document360 panel, to the **Configure the Service Provider (SP)** page, and click **Next**to navigate to the **Configure the Identity Provider (IdP)** page.
2. The**Configure an existing connection** field allows you to inherit an SSO configuration that has already been created. By selecting this option, the current SSO configuration will be set as the child and no changes can be made to it.

> [!NOTE]
> ******NOTE
> 
> For more information on Inheritance, go to[Inherit from another application](/help/docs/google-sso-saml-configuration#inherit-from-another-application).

1. In the **Configure the Identity Provider (IdP)**page, add the information you had noted down earlier from the **Google custom SAML app** page.

| Document360 SSO settings | Info from Google custom SAML app |
| --- | --- |
| Sign on URL | SSO URL |
| Entity id | Entity ID |
| SAML Certificate | Certificate (Upload the recent .pem file you downloaded from Google) |

1. Next, turn on/off the **Allow IdP initiated sign in** toggle as per your project requirements.

![Configuration settings for Single Sign-On, highlighting Identity Provider and SAML certificate options.](https://cdn.document360.io/860f9f88-412e-4570-8222-d5bf2f4b7dd1/Images/Documentation/idp(8).png)

1. Once done, click the **Next**button to navigate to the **SCIM provisioning** page.

### SCIM provisioning

SCIM provisioning is not supported when Google is configured as your Identity Provider (IdP) in Document360.

![SCIM provisioning settings for Google IdP with a warning about unsupported features.](https://cdn.document360.io/860f9f88-412e-4570-8222-d5bf2f4b7dd1/Images/Documentation/scim not support.png)

This limitation applies in two scenarios:

- When setting up a new Google IdP configuration.
- When you have inherited an existing SSO configuration that uses Google as the IdP.

Click **Next**to navigate to **More settings**.

### More settings

1. In the **More settings** page, enter the desired name for the SSO configuration in the **SSO name**field.
2. Enter the text you would like to show users for the login button in the **Customize login button** text.
3. Toggle on/off the **Auto assign reader group**and **Sign out idle SSO user**toggles based on your requirements.
4. Invite all your users or selected users using the **Convert existing user and reader accounts to SSO** radio buttons.

![Settings for creating a new SSO with highlighted fields for customization.](https://cdn.document360.io/860f9f88-412e-4570-8222-d5bf2f4b7dd1/Images/Documentation/more settings(6).png)

1. Click **Create**to complete the SSO configuration setup.

The **SSO configuration based on the SAML** protocol will be configured using **Google**successfully.

---

## Inherit from another application

When creating a new SSO configuration in Document360, you can inherit SCIM settings from an existing SSO connection. This approach simplifies the setup process, avoids repeating configuration steps, and helps administrators save time while ensuring consistency across integrations.

### Inherited SSO configuration

- On the **Configure Identity Provider (IdP)** page, select the **Configure an existing connection** field and choose the parent SSO SCIM-enabled application you want to inherit from. Selecting this option will designate the current project as the child project, inheriting all relevant properties from the parent.

![Configuration settings for Identity Provider with selected connection details displayed prominently.](https://cdn.document360.io/860f9f88-412e-4570-8222-d5bf2f4b7dd1/Images/Documentation/inherit(2).png)

> [!NOTE]
> **** NOTE**
> 
> Once the SSO configuration is created, the settings will be inherited from the parent application and cannot be modified in the child application.

- Since SCIM provisioning does not support Google IdP configurations, SCIM settings from the parent project cannot be inherited.

![SCIM provisioning warning for Google IdP in SSO configuration settings.](https://cdn.document360.io/860f9f88-412e-4570-8222-d5bf2f4b7dd1/Images/Documentation/scim not support(1).png)

While the other SSO configuration settings are inherited from the parent project, SCIM settings alone cannot be inherited.

---

## Managing Users in Google IdP

![Overview of reader management settings, highlighting user accounts and permissions synchronization.](https://cdn.document360.io/860f9f88-412e-4570-8222-d5bf2f4b7dd1/Images/Documentation/readers.png)

To view the readers added through your custom app,

1. Go to Document360 and navigate to **Settings**> **Users & permissions** > **Readers & groups**.
2. Select the reader to navigate to their reader profile.

Readers provisioned via SCIM will display an**SSO-SCIM** badge next to their name.

> [!NOTE]
> ******NOTE
> 
> When SCIM is enabled, editing a user's name or deleting a user directly in Document360 is disabled, as these actions must be managed through your IdP to keep both platforms in sync. You can
> 
> only manage the content access from Document360.

#### Manage content access of Readers, Users and Groups

The default content role assigned to any new user, reader, or group is based on what was configured during SCIM provisioning setup. Permissions will be set to **None**by default but can be updated at any time.

1. To manage content access, select the desired reader and click **Manage Content Access**.
2. Choose the desired access level from the dropdown and click **Update**.

![Editing reader account settings, including content access and associated groups options.](https://cdn.document360.io/860f9f88-412e-4570-8222-d5bf2f4b7dd1/Images/Documentation/manage.png)

> [!NOTE]
> ******NOTE
> 
> You can also manage groups for a reader by clicking Manage groups under the Reader Group section.

Security Assertion Markup Language (SAML) is a widely used Single Sign-On (SSO) standard that enables secure authentication and authorization by allowing users to log in to multiple applications with a single set of credentials.

## Related

- [SAML SSO with Entra](/saml-sso-with-entra.md)