Loading
Salesforce now sends email only from verified domains. Read More
Identify Your Users and Manage Access
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Configure SSO from Salesforce to Google Apps

            You are here:

            1. Salesforce Help
            2. Docs
            3. Identify Your Users and Manage Access

            Configure SSO from Salesforce to Google Apps

            Let your users log in to Google Apps using single sign-on (SSO) with Salesforce configured as the identity provider.

            Required Editions

            Available in: Lightning Experience and Salesforce Classic
            Available in: Enterprise, Performance, Unlimited, and Developer Editions

            Configuring Salesforce as an identity provider for Google Apps involves these high-level steps.

            Get a SAML IdP Certificate

            Get a certificate, either self-signed or issued by a certificate authority, to use to set up service providers.

            Download the Metadata Document

            1. From Setup, enter Identity in the Quick Find box, and then select Identity Provider.
            2. Click Download Metadata.

            On the same page under SAML Metadata Discovery Endpoints, make note of the Salesforce Identity, for example, https://MyDomainName.my.salesforce.com/.well-known/samlidp.xml.

            Configure a SAML Provider in Google Apps

            1. Sign in as an administrator to the Google Apps account using https://admin.google.com.
            2. Navigate to the Google Apps page for configuring single sign-on.
            3. For the sign-in page URL, enter https://MyDomainName.my.salesforce.com/idp/endpoint/HttpRedirect.
            4. For the sign-out page URL, enter https://MyDomainName.my.salesforce.com/.
            5. For the change password URL, enter https://MyDomainName.my.salesforce.com/_ui/system/security/ChangePassword.
            6. For the verification certificate, upload the SAML IdP certificate you obtained earlier.
            7. Select Use a domain specific issuer.
            8. Click Save changes.

            Create and Configure a Connected App on Salesforce

            1. Define a connected app.
              • In Lightning Experience, from Setup, enter App in the Quick Find box, and select App Manager. Click New Connected App.
              • In Salesforce Classic, from Setup, enter Apps in the Quick Find box, and select Apps. Under Connected Apps, click New.
            2. Configure the connected app.

              Under Basic Information:

              1. Name the app (for example, Gmail).
              2. Enter your own email address.

              Under Web App Settings:

              1. Select Enable SAML.
              2. For Entity Id, enter https://google.com.
              3. For ACS URL, enter the URL for your Google App account.
              4. For Subject Type, set the method attribute by which a username in Google Apps maps to a unique Salesforce user identity. For example, to use federated authentication, select Federation ID. For more information, see Best Practices for Implementing Single Sign-On.
              5. Click Save.
              Note
              Note It can take a few minutes for Salesforce to create the connected app.
            3. From Setup, enter Apps, in the Quick Find box. If you’re using Lightning Experience, select Manage Connected Apps. If you’re using Salesforce Classic, under Manage Apps, select Connected Apps.

              google connected app

            4. Click Gmail.
            5. Under SAML Login Information, copy the IdP-initiated login URL.

              google connected app login

              1. Click Edit Policies.
              2. For Start URL under Basic Information, paste the IdP-initiated login URL, plus this RelayState string: &RelayState=https%3A%2F%2Fmail.google.com%2Fa%2FyourGoogleAppDomainName.

                Replace yourGoogleAppDomainName with your Google domain, as shown in this example.

                https://identitydemo.my.salesforce.com/idp/login?app=0sp30000000000k
&RelayState=https%3A%2F%2Fmail.google.com%2Fa%2Fidentitydemo.com
              3. Click Save.
            6. Under Profiles or Permission Sets, add the profiles or permission sets of users who can access this app.

            Test the Connected App

            Verify that your Salesforce org can use SSO to access the connected app.

            1. Log out of Google Apps and Salesforce.
            2. Try to access a Google App page, such as http://mail.google.com/a/respond.info/.
            3. You’re redirected to a Salesforce sign-on page. After you log in, you are at the specified Google App page.

            An alternate test is to add the Google App to a web tab in your Salesforce org.

            1. Log in to Salesforce.
            2. From Setup, enter Tabs in the Quick Find box, and select Tabs.
            3. Under Web Tabs, click New.
            4. Choose a tab layout, and click Next.
            5. Enter a label for the tab. Use the default name, which is the same as the label.
            6. To display the Tab Style Selector, click the Tab Style lookup icon. Select an icon. Keep all other defaults.
            7. Click Next.
            8. For Button or Link URL, enter a Google App page, such as mail.google.com/a/respond.info/ for Gmail, and click Next.
              Note
              Note Enter an absolute URL that starts with https://.
            9. Click Next and then click Save.
            10. To test the configuration, click the new tab at the top of your page. You’re automatically logged in to the Google App page.

            See Also

             
            Loading
            Salesforce Help | Article