Step by Step – G suite (formerly Google Apps) SSO with PhenixID Authentication Services


This document will guide you through the steps to provide Single-Sign-On to G Suite using SAML with PhenixID Authentication Services as SAML IdP.


System Requirements

  • PhenixID Authentication Services 2.0 or higher
  • Google domain registered (for example
  • Google domain administrator account credentials
  • Google test account (must NOT have administrator rights)


1. Set up PhenixID Authentication Services as SAML IdP

  1. Setup PhenixID Authentication Services as a SAML IdP using one of the Federation scenarios described here. (If the desired authentication method is not provided by a scenario, use the documentation for the SAML authenticator here)
    Make sure the User identifier attribute is set to the attribute where the mail address is stored.
  2. Download the IdP signing certificate to a file as described here.
  3. Open the IdP Metadata and get the value of the SingleSignOnService-Location.
  4. If SAML SLO is configured (, get the SLO Post URL.

2. Configure G Suite

    1. Login to with yoyr G suite administrator account.
    2. Click Security in the admin console.
    3. Click Setup Single Sign on
    4. Select Setup SSO with third party identity provider.
    5. Enter these properties:
      1. Sign-in page URL = <Value fetched from step 1.3>
      2. Sign-out page URL = <Value fetched from step 1.4>
      3. Verification certificate = <Upload certificate file from step 1.2>
      4. Select “Use a domain specific issuer”
    6. Example configuration:
    7. Click Save


3. Add G Suite SAML SP Metadata to PhenixID Authentication Services

  1. Create GSuite SAML SP Metadata XML file. Use the template data below and replace “<your_domain>” in entityID and AssertionConsumerService Location with your google domain name. Place the text in a file using a text editor and save it as a xml file.
    <?xml version="1.0" encoding="UTF-8"?>
    <EntityDescriptor entityID="<your_domain>" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
    <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
    1. Example metadata:
      <?xml version="1.0" encoding="UTF-8"?>
      <EntityDescriptor entityID="" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
      <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
      <AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
  2. Upload the metadata file using this Federation Scenario.



  1. Open a web browser
  2. Browse to and enter your emailadress.
    Browse to<your_domain>
  3. You should be redirected to the Idp (PhenixID Authentication Services)
  4. Authenticate
  5. You should be redirected back to G Suite
  6. You are now logged in to G Suite.


Use the SAML Tracer addon for Firefox to debug and trace the SAML messages.

Information provided in this document is for your information only. PhenixID makes no explicit or implied claims to the validity of this information. Any trademarks referenced in this document are the property of their respective owners.

The origin of this information may be internal or external to PhenixID. PhenixID makes all reasonable efforts to verify this information.

PhenixID -