---
title: Integrate with Google Workspace
sidebar_label: Google Workspace
support_level: authentik
---

## What is Google Workspace

> Google Workspace is a collection of cloud computing, productivity and collaboration tools, software and products developed and marketed by Google.
>
> -- https://en.wikipedia.org/wiki/Google_Workspace

## Preparation

The following placeholders are used in this guide:

- `authentik.company` is the FQDN of the authentik installation.
- `example.com` is the default E-mail address configured in Google workspace.

:::note
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::

## authentik Configuration

Create an application in authentik and note the slug, as this will be used later. Set the _Launch URL_ to `https://mail.google.com/a/example.com`.

Create a SAML provider with the following parameters:

- ACS URL: `https://www.google.com/a/example.com/acs`
- Issuer: `google.com/a/example.com`
- Binding: `Post`
- Audience: `google.com/a/example.com`

Under _Advanced protocol settings_, set the option _NameID Property Mapping_ to the default E-mail property mapping called _authentik default SAML Mapping: Email_. Also make sure a _Signing Certificate_ is selected in the same section.

Copy the values of _SSO URL (Redirect)_ and _SLO URL (Redirect)_ fields from the provider page.

Click the _Download_ button next to the _Download signing certificate_ label.

## Google Workspace Configuration

Log in to the Google Workspace Admin portal by navigating to https://admin.google.com/, and authenticating with a super-admin account.

Navigate to _Security_ -> _Authentication_ -> _SSO with third-party IdP_.

Open the _Third-party SSO profile for your organization_ section.

Check the checkbox _Set up SSO with third-party identity provider_.

Set the value of _Sign-in page URL_ to the copied _SSO URL (Redirect)_ from above.

Set the value of _Sign-out page URL_ to the copied _SLO URL (Redirect)_ from above.

For _Verification certificate_, upload the certificate that you downloaded previously.

Ensure the option _Use a domain specific issuer_ is enabled.

## Notes

Google will not use these SSO settings with super-admins, although they will apply for any other user account. User accounts must already exist in Google workspace when attempting to login with authentik; Google will not create them automatically.

To verify that the configuration is correct for a super-admin account, navigate to `https://mail.google.com/a/example.com`, which redirects to the configured authentik instance.