Technical overview of SAML-based SSO

With single sign-on (SSO), users can access many applications without having to enter their username and password for each application. Security Assertion Markup Language (SAML) is an XML standard that enables secure web domains to exchange user authentication and authorization data. 

The roles of service providers and identity providers

Google offers a SAML-based SSO service that allows partner companies to authorize and authenticate hosted users who are trying to access secure content. Google acts as the online service provider and provides services, such as Google Calendar and Gmail. Google partners act as online identity providers and control usernames, passwords and other information used to identify, authenticate, and authorize users for web applications that Google hosts. 

Many open source and commercial identity providers can help you implement SSO with Google.

SAML verification certificates

To set up SSO with third-party IdPs where Google is the service provider, you need to upload one or more verification certificates. The certificate contains the public key which verifies sign-in from the IdP.

  • If you’re configuring the Third-party SSO profile for your organization, you upload one verification certificate.
  • If you’re creating a new SAML SSO profile, you can upload two certificates, giving you the option to rotate certificates.

You’ll usually get these certificates from your IdP. However, you can also generate them yourself.

Requirements

  • The certificate must be a PEM or DER formatted X.509 certificate with an embedded public key.
  • The public key must be generated with the DSA or RSA algorithms.
  • The public key in the certificate must match the private key used to sign the SAML response.

Related topic

SAML v2.0 specifications

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Google apps
Main menu
11412524869068806787
true
Search Help Center
true
true
true
true
true
73010
false
false