SSO assertion requirements

As the administrator, you need the elements and attributes listed in the following tables for SAML 2.0 SSO assertions returned to the Google Assertion Consumer Service (ACS) after the identity provider (IdP) has authenticated the user.

About the Assertion Consumer Service

The Assertion Consumer Service, or ACS URL, tells the IdP where to redirect an authenticated user after sign-in. An ACS URL takes the following form:

https://www.google.com/a/domain.com/acs

Note: If your organization restricts access to www.google.com, please contact your organization's support team for an alternate ACS URL, and go to Create an SSO profile.

Guidance for attributes

If you've set up SSO via a third-party Identity provider and your IdP's SAML assertion includes an <AttributeStatement>, Google will store these attributes until the user's Google Account session expires. (Session length varies and is configurable by the administrator.) After the account session expires, attribute information is permanently deleted within a week.

As with custom attributes in Directory, assertion attributes shouldn't include sensitive personally identifiable information (PII), such as account credentials, government ID numbers, cardholder data, financial account data, healthcare information, or sensitive background information.

Recommended uses for assertion attributes would include:

  • User IDs for internal IT systems
  • Session-specific roles

You can only pass a maximum of 2kB of attribute data in your assertions. The attribute values must be low-ASCII strings (Unicode/UTF-8 characters are not supported). Assertion values that are not low-ASCII and assertions that exceed the maximum allowed size will be rejected altogether, and cause the sign-in to fail.
 

Return assertions to the ACS

Troubleshoot problems

To troubleshoot issues with these assertions, use the network inspector. For instructions, see the Google Admin Toolbox HAR Analyzer page

If you need to contact support, use a disposable test account because the HTTP Archive (HAR) capture contains the the username and password in clear text. Or, edit the file to delete sensitive interactions between the user and the IdP. Contact Google Workspace support.

The SAMLRequest sent to your IdP contains the relevant AssertionConsumerServiceURL. If your SAMLResponse is sent to another URL, there could be a configuration issue with your IdP.
Use elements and attributes

Note: The SAML assertion can only contain standard ASCII characters.

Name ID element

Field NameID element in the Subject element.
 
Description

NameID identifies the subject which is the user's primary email address. 

It is case-sensitive.

Required

Value

user@example.com
 
Example <saml:Subject>
<saml:NameID
SPNameQualifier="google.com/a/example.com"
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
>user@example.com</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData NotOnOrAfter="2014-11-05T17:37:07Z"
Recipient="https://www.google.com/a/example.com/acs"
InResponseTo="midihfjkfkpcmbmfhjoehbokhbkeapbbinldpeen"
</saml:SubjectConfirmation>
</saml:Subject>

Recipient attribute

Field Recipient attribute in the SubjectConfirmationData element
 
Description

Recipient specifies additional data required for the subject. 

It is case-sensitive.

example.com is probably the primary domain of your Google Workspace or Cloud Identity account, even if the user being authenticated uses a secondary domain in the same Google Workspace or Cloud Identity account.

Required

Value

https://www.google.com/a/example.com/acs

or

https://accounts.google.com/a/example.com/acs

Example <saml:Subject>
<saml:NameID SPNameQualifier="google.com/a/example.com"
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
>user@example.com</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData NotOnOrAfter="2014-11-05T17:37:07Z"
Recipient="https://www.google.com/a/example.com/acs"
InResponseTo="midihfjkfkpcmbmfhjoehbokhbkeapbbinldpeen"
</saml:SubjectConfirmation>
</saml:Subject>

Audience element

Field Audience element in the AudienceRestriction parent element
Description

Audience is the uniform resource identifier (URI) that identifies the intended audience that requires the value of ACS URI.

example.com is probably the primary domain of your Google Workspace or Cloud Identity account, even if the user being authenticated uses a secondary domain in the same Google Workspace or Cloud Identity account.

This element value can’t be empty.

Required

Value

https://www.google.com/a/example.com/acs

or

https://accounts.google.com/a/example.com/acs

Example

<saml:Conditions
NotBefore="2014-11-05T17:31:37Z"
NotOnOrAfter="2014-11-05T17:37:07Z">
<saml:AudienceRestriction>
<saml:Audience>https://www.google.com/a/example.com/acs
</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>

Destination attribute

Field Destination attribute of the Response element
 
Description

Destination is the URI of where the SAML assertion is being sent.

It is an optional attribute, but if it is declared, it will need a value of the ACS URI.

example.com is probably the primary domain of your Google Workspace or Cloud Identity account, even if the user being authenticated uses a secondary domain in the same Google Workspace or Cloud Identity account.

Required

Value

https://www.google.com/a/example.com/acs 

or

https://accounts.google.com/a/example.com/acs

Example <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_7840062d379d82598d87ca04c8622f436bb03aa1c7"
Version="2.0"
IssueInstant="2014-11-05T17:32:07Z"
Destination="https://www.google.com/a/example.com/acs"
InResponseTo="midihfjkfkpcmbmfhjoehbokhbkeapbbinldpeen">

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Main menu
8716944708440977535
true
Search Help Center
true
true
true
false
false