Safeguard.sh Documentation Center
SSO AuthenticationSAML 2.0

Google Workspace

Configure Google Workspace as a SAML 2.0 identity provider for Safeguard.

Google Workspace

Use this when you want Google Workspace itself to be the SAML identity provider (distinct from the "Sign in with Google" OAuth button — see Social login for that).

  1. In Google Admin Console, go to Apps → Web and mobile apps → Add app → Add custom SAML app.

  2. Name the app (e.g. "Safeguard") and click Continue.

  3. On the Google IdP information screen, note the SSO URL, Entity ID, and download the Certificate. Click Continue.

  4. On Service provider details, enter:

    • ACS URL: the ACS URL Safeguard shows in the dialog after Save, copy-pasted exactly — https://api.safeguard.sh/auth/idp/realms/<tenantId>/broker/google-workspace/endpoint. Typing this by hand is a common source of errors (wrong domain, missing path segment); if login fails outright with no error reaching Safeguard at all, re-check this field character-by-character against what Safeguard's dialog shows.
    • Entity ID: the SP Entity ID Safeguard shows after Save — https://api.safeguard.sh/auth/idp/realms/<tenantId>
    • Name ID format: EMAIL
    • Name ID: Basic Information → Primary email
  5. On Attribute mapping, Google's form has two columns: Google directory attributes (pick from a dropdown) on the left, App attributes (you type the name) on the right. Add these rows:

    Google directory attributesApp attributes
    Basic Information → Primary emailemail (required — do this even though you already set the Name ID to the same field in step 4; Safeguard reads email from this named attribute, not from the Name ID)
    Basic Information → First namefirstName (optional — only if you want it synced)
    Basic Information → Last namelastName (optional — only if you want it synced)

    Do not leave a half-filled row (a Google directory attribute selected with no App attribute name typed, or vice versa) — Google's admin console will reject the whole form with a generic 400 internal_error referencing schemaKey if you do. Delete any empty/incomplete row before saving.

  6. Click Finish.

  7. Back in Safeguard, click Add Provider → SAML 2.0 → Google Workspace, and enter the SSO URL, Entity ID, and Certificate from step 3, plus an alias/display name. Save.

  8. In Google Admin Console, turn the app ON for everyone (or the specific org units you want), under User access.

  9. Use Test SAML login in Google Admin, or Test in Safeguard, to confirm.

What "User access: ON for everyone" actually controls: this only decides which Google Workspace users are allowed to attempt SAML sign-in through this app — it does not by itself grant them access into Safeguard. A user still needs a Safeguard account: either they already exist in the tenant (they'll be signed into their existing account), or your tenant's provisioning policy allows just-in-time creation on first login. If you restrict this to specific org units, only users in those org units can even reach the SAML redirect; everyone else sees a Google-side "you don't have access to this app" message before Safeguard is ever involved.

Common errors: Google Admin shows 400. Error: internal_error mentioning schemaKey on the Attribute mapping step — see step 5 above (delete any half-filled attribute-mapping row). Users don't see the option to sign in via Google Workspace even after saving the provider in Safeguard — the app hasn't been turned ON for their org unit yet under User access (step 8). Login fails immediately with no request ever reaching Safeguard (blank page, browser can't resolve/connect, or an unrelated 404) — the ACS URL in step 4 has a typo; re-copy it exactly from Safeguard's dialog rather than retyping it.

On this page