> ## Documentation Index
> Fetch the complete documentation index at: https://docs.hanko.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Set up SAML SSO with Google Workspace

> Learn how to set up enterprise connections in Hanko for customers using Google Workspace as SAML identity provider.

<div class="hidden">
  **Hanko Google Workspace SAML Integration Guide**:

  **About Hanko**:

  Hanko is a modern open source authentication solution and the fastest way you integrate passkeys, 2FA, SSO, and more—with full control over your data. Move between self-hosted and Hanko Cloud anytime. No lock-in. Just Auth how it should be: secure, user friendly, and fully yours.

  **What This Guide Covers**: This guide demonstrates how to configure Google Workspace as a SAML identity provider for your Hanko project, enabling secure single sign-on authentication for Google Workspace users.

  **Key Technologies**:

  * SAML 2.0
  * XML digital signatures
  * Google Workspace
  * Google Admin Console
  * SAML assertions

  **Prerequisites**:

  * Active Google Workspace account with admin privileges
  * Hanko Cloud project
  * Basic understanding of SAML authentication protocols
  * Ability to host XML metadata files publicly

  **Tasks You'll Complete**:

  * Create custom SAML application in Google Admin Console
  * Download and host SAML metadata XML file
  * Configure service provider details (ACS URL and Entity ID)
  * Set up attribute mapping for email addresses
  * Configure user access permissions
  * Create enterprise connection in Hanko Cloud
  * Test integration using IdP-initiated flow
</div>

## Prerequisites

You need your project's SAML Assertion Consumer Service (ACS) URL and the Service Provider (SP) Entity ID.

### Service Provider Entity ID

The SP Entity ID for your Hanko project is equal to the API URL of your project.

To find the API URL for your project:

1. Log in to [Hanko Cloud](https://cloud.hanko.io) and select your project.
2. Navigate to `Dashboard`.
3. Copy and save the `API URL`.

<Frame>
  <img src="https://mintcdn.com/hanko/cVK-6eOfdnYqw67X/images/saml/hanko-console-api-url.png?fit=max&auto=format&n=cVK-6eOfdnYqw67X&q=85&s=5d76691a6fee2398fad24d8a3a3d733b" alt="Obtain the API URL from the Hanko Cloud project dashboard" width={500} style={{ borderRadius: "0.5rem" }} data-path="images/saml/hanko-console-api-url.png" />
</Frame>

### Service Provider ACS URL

To find the Assertion Consumer Service (ACS) URL for your project:

1. Log in to [Hanko Cloud](https://cloud.hanko.io) and select your project.
2. Navigate to `Settings > Enterprise connections`.
3. Under `Enterprise connections` find the `Redirect URL` panel.
4. Copy and save the URL.

<Frame>
  <img src="https://mintcdn.com/hanko/cVK-6eOfdnYqw67X/images/saml/hanko-console-acs-url.png?fit=max&auto=format&n=cVK-6eOfdnYqw67X&q=85&s=e1280846a811aba0f42ce36d9c446051" alt="Obtain the Assertion Consumer Service URL in the Hanko Cloud enterprise settings of a project" width={500} style={{ borderRadius: "0.5rem" }} data-path="images/saml/hanko-console-acs-url.png" />
</Frame>

## Create a Google Workspace application

1. Sign in to the [Google Admin Console](https://admin.google.com).
2. In the left sidebar select `Apps > Web and mobile apps`.
3. Toggle the `Add app` dropdown in the main view.
4. Click `Add custom SAML app`.

<Frame>
  <img src="https://mintcdn.com/hanko/cVK-6eOfdnYqw67X/images/saml/google/google-create-custom-saml-app.png?fit=max&auto=format&n=cVK-6eOfdnYqw67X&q=85&s=537c90ad493e2532107956d5b54e5623" alt="Create a custom SAML app in the Google Admin Console" width={500} style={{ borderRadius: "0.5rem" }} data-path="images/saml/google/google-create-custom-saml-app.png" />
</Frame>

5. Provide a name for your app.
6. Click `Continue`.

<Frame>
  <img src="https://mintcdn.com/hanko/cVK-6eOfdnYqw67X/images/saml/google/google-create-custom-saml-app-basic.png?fit=max&auto=format&n=cVK-6eOfdnYqw67X&q=85&s=c9e39b4a36fce0e2259fc8e8afa54cdd" alt="Create a custom SAML app in the Google Admin Console" width={500} style={{ borderRadius: "0.5rem" }} data-path="images/saml/google/google-create-custom-saml-app-basic.png" />
</Frame>

7. Click `Download Metadata`. You need to download and host this file publicly because Hanko requires access to the metadata file via URL. See [Hosting the SAML XML Metadata file](#hosting-the-saml-xml-metadata-file) for details.
8. Click `Continue`.

<Frame>
  <img src="https://mintcdn.com/hanko/cVK-6eOfdnYqw67X/images/saml/google/google-create-custom-saml-app-idp-details.png?fit=max&auto=format&n=cVK-6eOfdnYqw67X&q=85&s=3d3f9b456dc434b2b948e433257066d4" alt="Download SAML IdP Metadata XML for your application" width={500} style={{ borderRadius: "0.5rem" }} data-path="images/saml/google/google-create-custom-saml-app-idp-details.png" />
</Frame>

8. Under `ACS URL` enter your ACS URL
   (see [Prerequisites - Service Provider ACS URL](#service-provider-acs-url)).
9. Under `Entity ID` enter you project API URL
   (see [Prerequisites - Service Provider Entity ID](#service-provider-entity-id)).
10. Click `Continue`.

<Frame>
  <img src="https://mintcdn.com/hanko/cVK-6eOfdnYqw67X/images/saml/google/google-create-custom-saml-app-sp-details.png?fit=max&auto=format&n=cVK-6eOfdnYqw67X&q=85&s=aa672808d93a646ed0986ec011034fac" alt="Provide Service Provider details" width={500} style={{ borderRadius: "0.5rem" }} data-path="images/saml/google/google-create-custom-saml-app-sp-details.png" />
</Frame>

11. In the `Attributes` panel, click `Add Mapping`.

<Frame>
  <img src="https://mintcdn.com/hanko/cVK-6eOfdnYqw67X/images/saml/google/google-create-custom-saml-app-add-mapping.png?fit=max&auto=format&n=cVK-6eOfdnYqw67X&q=85&s=3eb3cd079d9025a07354873fa95437d3" alt="Provide Service Provider details" width={500} style={{ borderRadius: "0.5rem" }} data-path="images/saml/google/google-create-custom-saml-app-add-mapping.png" />
</Frame>

12. Provide the following mapping:

| Google Directory Attribute | App attribute                                                        |
| -------------------------- | -------------------------------------------------------------------- |
| `Primary email`            | `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress` |

13. Click `Finish`.

<Frame>
  <img src="https://mintcdn.com/hanko/cVK-6eOfdnYqw67X/images/saml/google/google-create-custom-saml-app-add-mapping-email.png?fit=max&auto=format&n=cVK-6eOfdnYqw67X&q=85&s=514e866703dd3b3dd869c4f24556c29d" alt="Create an attribute mapping for the email address" width={500} style={{ borderRadius: "0.5rem" }} data-path="images/saml/google/google-create-custom-saml-app-add-mapping-email.png" />
</Frame>

14. You should be redirected to your app's "dashboard". Click the `User access` panel.

<Frame>
  <img src="https://mintcdn.com/hanko/cVK-6eOfdnYqw67X/images/saml/google/google-create-custom-saml-app-user-access.png?fit=max&auto=format&n=cVK-6eOfdnYqw67X&q=85&s=774489d2baddede67cefc56fb0a50b47" alt="Configure user access for your application" width={500} style={{ borderRadius: "0.5rem" }} data-path="images/saml/google/google-create-custom-saml-app-user-access.png" />
</Frame>

15. Set the `Service status` to `ON for everyone`.
16. Click `Save`.

<Frame>
  <img src="https://mintcdn.com/hanko/cVK-6eOfdnYqw67X/images/saml/google/google-create-custom-saml-app-user-access-2.png?fit=max&auto=format&n=cVK-6eOfdnYqw67X&q=85&s=b14352fd8ee965cab56553ae5a5ed501" alt="Configure user access for your application" width={500} style={{ borderRadius: "0.5rem" }} data-path="images/saml/google/google-create-custom-saml-app-user-access-2.png" />
</Frame>

## Hosting the SAML XML Metadata file

Google only provides SAML metadata as a downloadable XML file, but Hanko requires access to metadata files via URL rather than file upload. You must host the downloaded file on a publicly accessible web service (such as AWS S3, Cloudflare R2, or a public website) that Hanko can access.

## Configure an enterprise connection

1. Log in to [Hanko Cloud](https://cloud.hanko.io) and select your project.
2. Navigate to `Settings > Enterprise connections`.
3. Under `Connections`, click `New connection`.

<Frame>
  <img src="https://mintcdn.com/hanko/cVK-6eOfdnYqw67X/images/saml/hanko-console-new-saml-connection.png?fit=max&auto=format&n=cVK-6eOfdnYqw67X&q=85&s=73aedc40e30ba0d16a2c930eb38b68f3" alt="Create a new enterprise connection in the Hanko Cloud project settings" width={500} style={{ borderRadius: "0.5rem" }} data-path="images/saml/hanko-console-new-saml-connection.png" />
</Frame>

4. In the shown modal provide the following data:
   * A `Name` for the connection.
   * A `Domain` for the connection. When users authenticate via SAML SSO, the domain of the email
     address provided as an identifier at the start of an authentication flow must match the domain configured here.
   * A `Metadata URL`. This is the URL of your [hosted SAML XML Metadata file](#hosting-the-saml-xml-metadata-file).
   * Select whether you want skip email verification for this provider.
5. Click `Save` to create the connection.

<Frame>
  <img src="https://mintcdn.com/hanko/cVK-6eOfdnYqw67X/images/saml/hanko-console-new-saml-connection-data.png?fit=max&auto=format&n=cVK-6eOfdnYqw67X&q=85&s=eeb6476cb7be828c32d3a7cc5d7f263a" alt="Provide name, domain, metadata URL and email verification requirement for a new enterprise connection" width={500} style={{ borderRadius: "0.5rem" }} data-path="images/saml/hanko-console-new-saml-connection-data.png" />
</Frame>

## Testing your integration

To test your integration via [IdP-initiated](/guides/enterprise-sso/introduction#identity-provider-initiated-sso)
flow:

1. Open one of the Google Workspace applications, e.g. Google Calendar.
2. Access the user's available applications in the top navigation.
3. Find your application and click the icon for your application.

<Frame>
  <img src="https://mintcdn.com/hanko/cVK-6eOfdnYqw67X/images/saml/google/google-test-idp-initiated.png?fit=max&auto=format&n=cVK-6eOfdnYqw67X&q=85&s=e2be02f43aa85be582ed22110ff24a5a" alt="Test identity provider initiated login via google workspace app (calendar)" width={500} style={{ borderRadius: "0.5rem" }} data-path="images/saml/google/google-test-idp-initiated.png" />
</Frame>
