Google Workspace

Configure Google Workspace as a SAML IdP so users can sign in with their Google Workspace accounts.

Configure SAML App in Google Workspace

Access the Google Admin Console (admin.google.com) and navigate to Apps > Web and mobile apps.

Click Add App > Add custom SAML app.

Enter an App name (e.g., "Hanzo IAM") and optionally upload an app icon. Click Continue.

Download the metadata or note the following values provided by Google:

SSO URL

Entity ID

Certificate

Click Continue.

Configure Hanzo IAM as the Service Provider with the following values:

ACS URL: https://<your-iam-domain>/api/acs

Entity ID: https://<your-iam-domain>/api/acs

Name ID format: EMAIL

Name ID: Basic Information > Primary email

:::note

The /api/acs endpoint only accepts POST requests. Google Workspace uses POST binding by default.

:::

Click Continue.

Configure attribute mapping (optional):

email → Primary email

displayName → First name and Last name

Click Finish.

After creating the app, make sure to turn it ON for your organization or specific organizational units.

In the Hanzo IAM admin console, navigate to Providers and click Add.

Select the following:

Category: SAML

Type: Custom

Metadata: Paste the metadata downloaded from Google Workspace, or manually enter the SSO URL, Entity ID, and certificate.

Click Parse to automatically fill in the fields, then click Save.

Copy the generated SP ACS URL and SP Entity ID values (they should match https://<your-iam-domain>/api/acs).

Edit your Hanzo IAM application and add the Google Workspace SAML provider to the Providers list. Click Save.

Navigate to your Hanzo IAM application's login page. You should see a Google Workspace login option. Click it to test the SAML authentication flow.