SAML SSO with Google

  • Updated on Mar 28, 2026
  • 5 minute(s) read
Prev Next

Plans supporting this feature: Enterprise

Log in to your Document360 account and select the project for which you wish to configure Google SAML Single Sign-On with your Google Workspace account. Next, log in to your Google Workspace account. If you don’t have a Google Workspace account, you can create one at https://workspace.google.com/. Once you have logged in to your Google workplace account, navigate to the admin console using the Admin button at the top right. Please note that only users with Owner or Admin as Project role can configure SSO in Document360.

PRO TIP

It is recommended to open Document360 and Google Workspace in two separate tabs/browser windows, since configuring SSO in Document360 will require you to switch between Okta and Document360 multiple times.

Adding a custom SAML app on Google

  1. On the admin console home page, click on the Apps option and select the SAML apps option.

  2. Click on Add app and in the dropdown, select Add custom SAML app.

  3. In the App details, enter any name for your app and click on Continue.

  4. Next, you will find the SSO URL, Entity ID details, and the Certificate.

  5. Make a note of these details, since you will need them while accessing the Configure the Identity Provider (IdP) page on Document360.

  6. In the Certificate section, click on the Download icon to save the certificate (.pem format) in your computer's local storage.

  7. You will have to upload this certificate later in the Configure the Identity Provider (IdP) page in Document360.

41_Screenshot-Google-user-access-service-status

  1. In User access, the Service status will by default be OFF for everyone.  You must manually change it to ON for everyone to work.

42_Screenshot-Google-user-access-changing-service-status

After configuring it on the Google side, here's how your SAML app would look.

44-Screenshot_Replace_file_Google_SSO_SAML

Service Provider configuration

To configure Single Sign-On (SSO), you need Service Provider (SP) details such as ACS URL and entity ID. These details will be available in the Create SSO panel on Document360. To navigate to the Create SSO panel,

  1. Go to Settings > Users & permissions > SSO Configuration.

  2. Click the Create SSO button.

Settings menu showing SSO configuration options and a button to create SSO.

  1. In the Choose your Identity Provider (IdP) page, select Google as the identity provider.

SSO configuration options with identity providers like Google and Okta displayed on the screen.

  1. Next, from the Configure the Service Provider (SP) page, copy the following parameters.

Google custom SAML app

Document360 SSO SAML settings

ACS URL

Callback path

Entity ID

Service provider entity Id

Configuration settings for Google Identity with highlighted callback paths and service provider ID.

  1. Switch to the Google workspace tab and paste the parameters onto the Google custom SAML app page.

  2. In Name ID format select EMAIL from the dropdown

  3. In Name ID select Basic Information > Primary email

  4. Click on the Continue button

Attributes

  1. Add and select user fields in Google Directory, then map them to service provider attributes. Add the following attributes.

Google Directory attributes

App attributes

Primary email

name

Primary email

email

Primary email

urn:oasis:names:tc:SAML:2.0:nameid

  1. Click on the Add Mapping button each time you add an attribute, and when you're done, click on the Finish button.

Configure the Identity Provider (IdP)

  1. Switch back to the Document360 panel, to the Configure the Service Provider (SP) page, and click Next to navigate to the Configure the Identity Provider (IdP) page.

  2. The Configure an existing connection field allows you to inherit an SSO configuration that has already been created. By selecting this option, the current SSO configuration will be set as the child and no changes can be made to it.

 NOTE

For more information on Inheritance, go to Inherit from another application.

  1. In the Configure the Identity Provider (IdP) page, add the information you had noted down earlier from the Google custom SAML app page.

Document360 SSO settings

Info from Google custom SAML app

Sign on URL

SSO URL

Entity id

Entity ID

SAML Certificate

Certificate (Upload the recent .pem file you downloaded from Google)

  1. Next, turn on/off the Allow IdP initiated sign in toggle as per your project requirements.

Configuration settings for Single Sign-On, highlighting Identity Provider and SAML certificate options.

  1. Once done, click the Next button to navigate to the SCIM provisioning page.

SCIM provisioning

SCIM provisioning is not supported when Google is configured as your Identity Provider (IdP) in Document360.

SCIM provisioning settings for Google IdP with a warning about unsupported features.

This limitation applies in two scenarios:

  • When setting up a new Google IdP configuration.

  • When you have inherited an existing SSO configuration that uses Google as the IdP.

Click Next to navigate to More settings.

More settings

  1. In the More settings page, enter the desired name for the SSO configuration in the SSO name field.

  2. Enter the text you would like to show users for the login button in the Customize login button text.

  3. Toggle on/off the Auto assign reader group and Sign out idle SSO user toggles based on your requirements.

  4. Invite all your users or selected users using the Convert existing user and reader accounts to SSO radio buttons.

Settings for creating a new SSO with highlighted fields for customization.

  1. Click Create to complete the SSO configuration setup.

The SSO configuration based on the SAML protocol will be configured using Google successfully.

Inherit from another application

When creating a new SSO configuration in Document360, you can inherit SCIM settings from an existing SSO connection. This approach simplifies the setup process, avoids repeating configuration steps, and helps administrators save time while ensuring consistency across integrations.

Inherited SSO configuration

  • On the Configure Identity Provider (IdP) page, select the Configure an existing connection field and choose the parent SSO SCIM-enabled application you want to inherit from. Selecting this option will designate the current project as the child project, inheriting all relevant properties from the parent.

Configuration settings for Identity Provider with selected connection details displayed prominently.

 NOTE

Once the SSO configuration is created, the settings will be inherited from the parent application and cannot be modified in the child application.

  • Since SCIM provisioning does not support Google IdP configurations, SCIM settings from the parent project cannot be inherited.

SCIM provisioning warning for Google IdP in SSO configuration settings.

While the other SSO configuration settings are inherited from the parent project, SCIM settings alone cannot be inherited.

Managing Users in Google IdP

Overview of reader management settings, highlighting user accounts and permissions synchronization.

To view the readers added through your custom app,

  1. Go to Document360 and navigate to Settings > Users & permissions > Readers & groups.

  2. Select the reader to navigate to their reader profile.

Readers provisioned via SCIM will display an SSO-SCIM badge next to their name.

 NOTE

When SCIM is enabled, editing a user's name or deleting a user directly in Document360 is disabled, as these actions must be managed through your IdP to keep both platforms in sync. You can

only manage the content access from Document360.

Manage content access of Readers, Users and Groups

The default content role assigned to any new user, reader, or group is based on what was configured during SCIM provisioning setup. Permissions will be set to None by default but can be updated at any time.

  1. To manage content access, select the desired reader and click Manage Content Access.

  2. Choose the desired access level from the dropdown and click Update.

Editing reader account settings, including content access and associated groups options.

 NOTE

You can also manage groups for a reader by clicking Manage groups under the Reader Group section.

Related articles