pinkpixel-dev/implementing-google-workspace-sso-configuration
SKILLS/implementing-google-workspace-sso-configuration/SKILL.md
Configure SAML 2.0 single sign-on for Google Workspace with a third-party identity provider, enabling centralized authentication and enforcing organization-wide access policies.
$ install --global
skillsauthnpx skillsauth add pinkpixel-dev/skills-collection-2 implementing-google-workspace-sso-configurationInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 13, 2026, 4:34 AM125.8s7 files scanned
SKILL.md
- name:
- implementing-google-workspace-sso-configuration
- description:
- Configure SAML 2.0 single sign-on for Google Workspace with a third-party identity provider, enabling centralized authentication and enforcing organization-wide access policies.
- domain:
- cybersecurity
- subdomain:
- identity-access-management
- tags:
- [google-workspace, sso, saml, identity-provider, authentication, federation]
- version:
- 1.0
- author:
- mahipal
- license:
- Apache-2.0
Implementing Google Workspace SSO Configuration
Overview
Single Sign-On (SSO) for Google Workspace allows organizations to authenticate users through their existing identity provider (IdP) such as Okta, Azure AD (Microsoft Entra ID), or ADFS, rather than managing separate Google passwords. This is implemented using SAML 2.0 protocol where Google Workspace acts as the Service Provider (SP) and the organization's IdP handles authentication. SSO centralizes credential management, enforces MFA policies at the IdP, and enables immediate access revocation when users leave the organization.
When to Use
- When deploying or configuring implementing google workspace sso configuration capabilities in your environment
- When establishing security controls aligned to compliance requirements
- When building or improving security architecture for this domain
- When conducting security assessments that require this implementation
Prerequisites
- Google Workspace Business, Enterprise, or Education edition
- Super Admin access to Google Admin Console
- Identity Provider with SAML 2.0 support (Okta, Azure AD, ADFS, Ping Identity)
- IdP signing certificate (X.509 PEM format, RSA or DSA)
- DNS verification for the Google Workspace domain
Core Concepts
SAML 2.0 SSO Flow
User navigates to Google Workspace app (Gmail, Drive, etc.)
│
├── Google checks: Is SSO configured for this domain?
│
├── YES → Redirect user to IdP Sign-In Page URL
│ (SAML AuthnRequest sent via browser redirect)
│
├── User authenticates at IdP (credentials + MFA)
│
├── IdP generates SAML Response with signed assertion
│
├── Browser POSTs SAML Response to Google ACS URL:
│ https://www.google.com/a/{domain}/acs
│
├── Google validates SAML signature against uploaded certificate
│
└── User is granted access to Google Workspace
Key SAML Parameters
| Parameter | Value |
|-----------|-------|
| ACS URL | https://www.google.com/a/{your-domain}/acs |
| Entity ID | google.com/a/{your-domain} or google.com |
| NameID Format | urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress |
| NameID Value | User's primary Google Workspace email |
| Binding | HTTP-POST (for ACS), HTTP-Redirect (for SSO URL) |
Workflow
Step 1: Prepare the Identity Provider
For Okta:
- Navigate to Applications > Add Application > Search "Google Workspace"
- Configure the Google Workspace app with your domain
- Assign users/groups to the application
- Download the IdP metadata or note: SSO URL, Entity ID, Certificate
For Azure AD (Microsoft Entra ID):
- Navigate to Enterprise Applications > New Application > Google Cloud/Workspace
- Configure Single sign-on > SAML
- Set Basic SAML Configuration:
- Identifier (Entity ID):
google.com - Reply URL (ACS):
https://www.google.com/a/{your-domain}/acs - Sign on URL:
https://www.google.com/a/{your-domain}/ServiceLogin
- Identifier (Entity ID):
- Download Federation Metadata XML or Certificate (Base64)
For ADFS:
- Add Relying Party Trust using federation metadata
- Configure claim rules to pass NameID as email address
- Export the token-signing certificate
Step 2: Configure Google Workspace SSO
- Sign in to Google Admin Console (admin.google.com) as Super Admin
- Navigate to Security > Authentication > SSO with third-party IdP
- Click "Add SSO profile" or configure the default profile
Third-Party SSO Profile Settings:
| Setting | Value |
|---------|-------|
| Set up SSO with third-party IdP | Enabled |
| Sign-in page URL | IdP's SAML SSO endpoint (e.g., https://idp.example.com/sso/saml) |
| Sign-out page URL | IdP's logout URL (e.g., https://idp.example.com/slo) |
| Change password URL | IdP's password change URL |
| Verification certificate | Upload IdP's X.509 signing certificate |
| Use a domain-specific issuer | Enabled (uses google.com/a/{domain} as entity ID) |
Step 3: Assign SSO Profile to Users
SSO profiles can be applied at different scopes:
Organization-wide (all users)
│
├── Org Unit level (specific departments)
│ ├── Engineering OU → SSO via Okta
│ ├── Marketing OU → SSO via Azure AD
│ └── Contractors OU → SSO via specific IdP
│
└── Group level (specific security groups)
└── VPN Users → SSO with additional MFA
- Navigate to Security > Authentication > SSO with third-party IdP
- Select the SSO profile to assign
- Choose organizational units or groups
- Save and wait for propagation (up to 24 hours, typically minutes)
Step 4: Configure Network Masks (Optional)
Network masks control when SSO is enforced based on the user's IP:
- If the user's IP matches a network mask, they use Google's sign-in page
- If the user's IP does NOT match, they are redirected to the IdP
This is useful for allowing direct Google login from corporate network while enforcing SSO for external access.
Step 5: Test SSO
- Open an incognito browser window
- Navigate to
https://mail.google.com/a/{your-domain} - Verify redirect to IdP sign-in page
- Authenticate at the IdP
- Verify successful redirect back to Google Workspace
- Test sign-out flow redirects to IdP logout page
- Test with user not assigned in IdP (should fail)
Validation Checklist
- [ ] IdP SAML application configured with correct ACS URL and Entity ID
- [ ] IdP signing certificate uploaded to Google Admin Console
- [ ] SSO profile assigned to target organizational units/groups
- [ ] SAML assertion includes correct NameID (email format)
- [ ] MFA enforced at IdP for all Google Workspace users
- [ ] Sign-out URL configured to terminate IdP session
- [ ] Network masks configured if internal/external access differs
- [ ] Break-glass Super Admin accounts bypass SSO (use Google auth)
- [ ] SSO tested with multiple user types (admin, standard, contractor)
- [ ] SAML response signature validated successfully
- [ ] Error handling tested (expired cert, invalid user, clock skew)
References
- Google Workspace SSO Configuration Guide
- Set Up Custom SAML App - Google
- Okta Google Workspace SAML Guide
- SAML 2.0 Technical Overview - OASIS
Related Skills
pinkpixel-dev/implementing-rapid7-insightvm-for-scanning
development
VerifiedTrustedCommunity
Deploy and configure Rapid7 InsightVM Security Console and Scan Engines for authenticated and unauthenticated vulnerability scanning across enterprise environments.
1SKILL.mdUpdated May 29, 2026
pinkpixel-dev/implementing-ransomware-kill-switch-detection
testing
VerifiedTrustedCommunity
Detects and exploits ransomware kill switch mechanisms including mutex-based execution guards, domain-based kill switches, and registry-based termination checks. Implements proactive mutex vaccination and kill switch domain monitoring to prevent ransomware from executing. Activates for requests involving ransomware kill switch analysis, mutex vaccination, WannaCry-style domain kill switches, or malware execution guard detection.
1SKILL.mdUpdated May 29, 2026
pinkpixel-dev/implementing-ransomware-backup-strategy
testing
VerifiedTrustedCommunity
Designs and implements a ransomware-resilient backup strategy following the 3-2-1-1-0 methodology (3 copies, 2 media types, 1 offsite, 1 immutable/air-gapped, 0 errors on restore verification). Configures backup schedules aligned to RPO/RTO requirements, implements backup credential isolation to prevent ransomware from compromising backup infrastructure, and establishes automated restore testing. Activates for requests involving ransomware backup planning, backup resilience, air-gapped backup design, or backup recovery point objective configuration.
1SKILL.mdUpdated May 29, 2026
pinkpixel-dev/implementing-purdue-model-network-segmentation
testing
VerifiedTrustedCommunity
Implement network segmentation based on the Purdue Enterprise Reference Architecture (PERA) model to separate industrial control system networks into hierarchical security zones from Level 0 physical process through Level 5 enterprise, enforcing strict traffic control between OT and IT domains.
1SKILL.mdUpdated May 29, 2026