Important Note : Follow this guide if use Google Workspace OR Google Workspace + Google Cloud Platform

Perquisites for SSO to Google via Okta

To get started, let us first understand what would we need to setup SSO-:

1. Google Workspace or Google Cloud Identity Super Administrator Email and Password.
2. Okta Super Administrator User Id and Password
   
   
3. Atleast one test user account in Okta (either created directly in Okta or brought over by Active Directory) who has also been provisioned in Google.
   
   
4. Optional, but highly recommended – An IP address to test SSO before rolling it out in production.

Login to your Okta Administration Console.

Go to Applications as shown in the screenshot below.

• Click on the Sign On tab and then Click “SAML” radio button as shown in the screenshot below.
• Now instructions would appear, click on “View Setup Instructions”.

Scroll down a bit and copy the following as we will need them later when we configure SSO settings in Google Workspace.

1. Sign in page URL
2. Sign out page URL
3. Change Password URL
4. Click on verification certificate to download it

• Your certificate from Okta should be downloaded now, we’ll need this certificate later to upload in Google Workspace (or Google Cloud Identity) SSO settings.

• Login to your Google Workspace (or Google Cloud Identity) Administration Console
  
  
• Go to Security

• Scroll down to find “Setup Single Sign-On (SSO) with a third party IdP.
  
  
• Click on it to open its settings.

• Paste the SSO URL that you copied from Okta.
  
  
• Paste the Sign out Url that you copied from Okta (your may put any url here where you want users to go when they sign out).

1. Click on upload the certificate.
2. Select the certificate that you downloaded from Okta.
3. Upload it.

1. Please ensure your certificate has been uploaded as you see in the screenshot below.
   
   
2. Check on “Use a domain specific issuer”.
   
   
3. Put your testing IP address here in the CIDR format (You should put /32 to make the SSO only apply on this specific IP address.
   You can read more about Network mask feature in Google Workspace above.
   
   
4. Paste the change password URL that you copied from Okta.
   
   
5. Save your changes.

1. Though you would have your own specific settings from Okta, but they would something like shown in the screenshot.
   
   Now activate SSO by checking the box “Setup SSO with third party identity providers”
   
2. Save your changes.
   
   As soon as we save our changes, SSO should be applied but ONLY from the test IP address we have put, all other authentication requests from other IP addresses should route through Google as usual.

• Now let us try to sign in via Okta (Idp Initiated sign on) to see how is our SSO working.
  
  
• Please make sure of following-:
• You are testing SSO via a test user (not the admin user, as Google admin users bypass SSO).
  
  
• You are testing it from the IP address that you have put in Network mask above in Google SSO settings.

We should be able to successfully login to Google Workspace now.

If you see any error, please ensure you have followed the above documentation well, or look at the FAQs section at the bottom of this post to understand common SSO errors and their solution.

• Now let us try to sign in via Google (Service Provider Initiated sign on) to see how is our SSO working.
  
  
• Please make sure of following-:
  
  
• You are testing SSO via a test user (not the admin user, as Google admin users bypass SSO).
  
  
• You are testing it from the IP address that you have put in Network mask above in Google SSO settings.

• You should ideally be now redirected to your Okta Sign in page (unless you are not already signed into Okta).
  
  
• Enter your Okta credentials to sign in.

• We should be able to successfully login to Google Workspace now.
• If you see any error, please ensure you have followed the above documentation well, or look at the FAQs section at the bottom of this post to understand common SSO errors and their solution.