# SAML SSO with Google Workspace
This guide walks through setting up SAML single sign-on between Google Workspace and Screendesk. After completing these steps, your team members can log in to Screendesk using their Google Workspace credentials.
{% hint style="info" %}
**Plan Availability:** Enterprise only
{% endhint %}
{% hint style="info" %}
Before starting, make sure you have admin access to both your **Google Workspace Admin Console** and your **Screendesk workspace**. You will also need your Screendesk service provider details — find them in **Account Settings → Security → SAML SSO**.
{% endhint %}
***
### Configuration Overview
Setting up SAML SSO with Google Workspace involves two stages: creating a custom SAML app in Google Admin, then entering Google's IdP details back in Screendesk.
You will need these Screendesk values for the Google side:
| Screendesk Field | Value |
| ---------------- | ----------------------------------------- |
| **ACS URL** | `https://app.screendesk.io/saml_callback` |
| **Entity ID** | `urn:screendesk.io:saml` |
***
### Step 1 — Create a Custom SAML App in Google
{% stepper %}
{% step %}
#### Open the Google Admin Console
Sign in at [admin.google.com](https://admin.google.com) and navigate to **Apps → Web and mobile apps**.
{% endstep %}
{% step %}
#### Add a new app
Click **Add app → Add custom SAML app**.
{% endstep %}
{% step %}
#### Name the app
Enter **Screendesk** as the app name. Optionally upload the Screendesk logo. Click **Continue**.
{% endstep %}
{% step %}
#### Copy the Google IdP details
On the **Google Identity Provider details** screen, you will see three values you need for Screendesk:
* **SSO URL** — Copy this. You will paste it as the **Single Sign On URL** in Screendesk.
* **Entity ID** — Copy this. You will paste it as the **IDP Entity ID** in Screendesk.
* **Certificate** — Click **Download Certificate** to get the X.509 certificate file. You will paste its contents as the **IDP Certificate** in Screendesk.
Click **Continue**.
{% endstep %}
{% step %}
#### Enter the Service Provider details
Fill in the following fields:
| Field | Value |
| ------------------ | ----------------------------------------- |
| **ACS URL** | `https://app.screendesk.io/saml_callback` |
| **Entity ID** | `urn:screendesk.io:saml` |
| **Start URL** | Leave blank |
| **Name ID format** | **EMAIL** |
| **Name ID** | **Basic Information > Primary email** |
Click **Continue**.
{% endstep %}
{% step %}
#### Configure attribute mapping
Add the following attribute mappings so Screendesk can read user details from the SAML response:
| Google Directory attribute | App attribute |
| -------------------------- | ------------- |
| **Primary email** | `email` |
| **First name** | `first_name` |
| **Last name** | `last_name` |
Click **Finish**.
{% endstep %}
{% step %}
#### Turn on the app for your users
By default, the new SAML app is **off for everyone**. To enable it:
1. On the app's details page, click **User access**.
2. Select **ON for everyone** (or select specific organizational units).
3. Click **Save**.
{% hint style="warning" %}
Changes in Google Workspace can take up to 24 hours to propagate to all users, though it typically happens within minutes.
{% endhint %}
{% endstep %}
{% endstepper %}
***
### Step 2 — Configure Screendesk
{% stepper %}
{% step %}
#### Open SAML SSO settings
In Screendesk, go to **Account Settings → Security → SAML SSO** and click **Edit SAML SSO Settings**.
{% endstep %}
{% step %}
#### Enter the Google IdP details
Using the values you copied from Google Admin in Step 1:
| Screendesk Field | Value from Google |
| ---------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **SSO Domain** | Your company's email domain (e.g., `yourcompany.com`) |
| **IDP Entity ID** | The **Entity ID** from Google's IdP details page |
| **Single Sign On URL** | The **SSO URL** from Google's IdP details page |
| **IDP Certificate** | The contents of the downloaded certificate file. Open it in a text editor and paste the full text, including the `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----` lines. |
| {% endstep %} | |
{% step %}
#### Save the configuration
Click **Save Changes**.
{% endstep %}
{% endstepper %}
***
### Step 3 — Test the Connection
{% stepper %}
{% step %}
#### Open an incognito window
Use a private browser window to avoid conflicts with your current session.
{% endstep %}
{% step %}
#### Start the SAML login
Go to the Screendesk login page, click **Sign in with SAML SSO**, and enter an email address that belongs to your SSO domain.
{% endstep %}
{% step %}
#### Authenticate with Google
You should be redirected to Google's sign-in page. Log in with your Google Workspace credentials.
{% endstep %}
{% step %}
#### Confirm access
After authenticating, you should be signed in to Screendesk. If this is your first SAML login and **Automatic account creation** is enabled, a new Screendesk account will be created for you with the Member role.
{% endstep %}
{% endstepper %}
***
### Troubleshooting
"SAML Authentication failed" error
This usually means the SAML response signature could not be verified. Check the following:
* The **IDP Certificate** in Screendesk matches the certificate downloaded from Google Admin. Make sure you pasted the full PEM text including header and footer lines.
* The **ACS URL** in Google matches `https://app.screendesk.io/saml_callback` exactly.
* The **Entity ID** in Google matches `urn:screendesk.io:saml` exactly.
"No SSO account found" error
This means Screendesk could not find a workspace associated with the email domain. Verify that the **SSO Domain** field in Screendesk matches the domain part of your users' email addresses (e.g., `yourcompany.com`).
Users are redirected but not signed in
Make sure the **Name ID format** in Google is set to **EMAIL** and the **Name ID** is set to **Primary email**. Screendesk uses the NameID to identify users, and it must be a valid email address.
New users get "Ask your IT administrator" message
This means **Automatic account creation** is turned off in your Screendesk SAML settings. Either enable it in **Account Settings → Security → SAML SSO**, or manually create the user's Screendesk account before they try to log in.