> For the complete documentation index, see [llms.txt](https://docs.screendesk.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.screendesk.io/security/saml-sso/saml-sso-with-google-workspace.md).
# SAML SSO with Google Workspace
This guide walks through setting up SAML single sign-on between Google Workspace and Screendesk. After completing these steps, your team members can log in to Screendesk using their Google Workspace credentials.
{% hint style="info" %}
**Plan Availability:** Enterprise only
{% endhint %}
{% hint style="info" %}
Before starting, make sure you have admin access to both your **Google Workspace Admin Console** and your **Screendesk workspace**. You will also need your Screendesk service provider details — find them in **Account Settings → Security → SAML SSO**.
{% endhint %}
***
### Configuration Overview
Setting up SAML SSO with Google Workspace involves two stages: creating a custom SAML app in Google Admin, then entering Google's IdP details back in Screendesk.
You will need these Screendesk values for the Google side:
| Screendesk Field | Value |
| ---------------- | ----------------------------------------- |
| **ACS URL** | `https://app.screendesk.io/saml_callback` |
| **Entity ID** | `urn:screendesk.io:saml` |
***
### Step 1 — Create a Custom SAML App in Google
{% stepper %}
{% step %}
#### Open the Google Admin Console
Sign in at [admin.google.com](https://admin.google.com) and navigate to **Apps → Web and mobile apps**.
{% endstep %}
{% step %}
#### Add a new app
Click **Add app → Add custom SAML app**.
{% endstep %}
{% step %}
#### Name the app
Enter **Screendesk** as the app name. Optionally upload the Screendesk logo. Click **Continue**.
{% endstep %}
{% step %}
#### Copy the Google IdP details
On the **Google Identity Provider details** screen, you will see three values you need for Screendesk:
* **SSO URL** — Copy this. You will paste it as the **Single Sign On URL** in Screendesk.
* **Entity ID** — Copy this. You will paste it as the **IDP Entity ID** in Screendesk.
* **Certificate** — Click **Download Certificate** to get the X.509 certificate file. You will paste its contents as the **IDP Certificate** in Screendesk.
Click **Continue**.
{% endstep %}
{% step %}
#### Enter the Service Provider details
Fill in the following fields:
| Field | Value |
| ------------------ | ----------------------------------------- |
| **ACS URL** | `https://app.screendesk.io/saml_callback` |
| **Entity ID** | `urn:screendesk.io:saml` |
| **Start URL** | Leave blank |
| **Name ID format** | **EMAIL** |
| **Name ID** | **Basic Information > Primary email** |
Click **Continue**.
{% endstep %}
{% step %}
#### Configure attribute mapping
Add the following attribute mappings so Screendesk can read user details from the SAML response:
| Google Directory attribute | App attribute |
| -------------------------- | ------------- |
| **Primary email** | `email` |
| **First name** | `first_name` |
| **Last name** | `last_name` |
Click **Finish**.
{% endstep %}
{% step %}
#### Turn on the app for your users
By default, the new SAML app is **off for everyone**. To enable it:
1. On the app's details page, click **User access**.
2. Select **ON for everyone** (or select specific organizational units).
3. Click **Save**.
{% hint style="warning" %}
Changes in Google Workspace can take up to 24 hours to propagate to all users, though it typically happens within minutes.
{% endhint %}
{% endstep %}
{% endstepper %}
***
### Step 2 — Configure Screendesk
{% stepper %}
{% step %}
#### Open SAML SSO settings
In Screendesk, go to **Account Settings → Security → SAML SSO** and click **Edit SAML SSO Settings**.
{% endstep %}
{% step %}
#### Enter the Google IdP details
Using the values you copied from Google Admin in Step 1:
| Screendesk Field | Value from Google |
| ---------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **SSO Domain** | Your company's email domain (e.g., `yourcompany.com`) |
| **IDP Entity ID** | The **Entity ID** from Google's IdP details page |
| **Single Sign On URL** | The **SSO URL** from Google's IdP details page |
| **IDP Certificate** | The contents of the downloaded certificate file. Open it in a text editor and paste the full text, including the `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----` lines. |
| {% endstep %} | |
{% step %}
#### Save the configuration
Click **Save Changes**.
{% endstep %}
{% endstepper %}
***
### Step 3 — Test the Connection
{% stepper %}
{% step %}
#### Open an incognito window
Use a private browser window to avoid conflicts with your current session.
{% endstep %}
{% step %}
#### Start the SAML login
Go to the Screendesk login page, click **Sign in with SAML SSO**, and enter an email address that belongs to your SSO domain.
{% endstep %}
{% step %}
#### Authenticate with Google
You should be redirected to Google's sign-in page. Log in with your Google Workspace credentials.
{% endstep %}
{% step %}
#### Confirm access
After authenticating, you should be signed in to Screendesk. If this is your first SAML login and **Automatic account creation** is enabled, a new Screendesk account will be created for you with the Member role.
{% endstep %}
{% endstepper %}
***
### Troubleshooting
"SAML Authentication failed" error
This usually means the SAML response signature could not be verified. Check the following:
* The **IDP Certificate** in Screendesk matches the certificate downloaded from Google Admin. Make sure you pasted the full PEM text including header and footer lines.
* The **ACS URL** in Google matches `https://app.screendesk.io/saml_callback` exactly.
* The **Entity ID** in Google matches `urn:screendesk.io:saml` exactly.
"No SSO account found" error
This means Screendesk could not find a workspace associated with the email domain. Verify that the **SSO Domain** field in Screendesk matches the domain part of your users' email addresses (e.g., `yourcompany.com`).
Users are redirected but not signed in
Make sure the **Name ID format** in Google is set to **EMAIL** and the **Name ID** is set to **Primary email**. Screendesk uses the NameID to identify users, and it must be a valid email address.
New users get "Ask your IT administrator" message
This means **Automatic account creation** is turned off in your Screendesk SAML settings. Either enable it in **Account Settings → Security → SAML SSO**, or manually create the user's Screendesk account before they try to log in.
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:
```
GET https://docs.screendesk.io/security/saml-sso/saml-sso-with-google-workspace.md?ask=&goal=
```
`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.