Skip to main content

Introduction

This guide will detail the various steps required to integrate Google Workspace as a SAML provider for your env zero organization. The current implementation is used for authentication only, where you define your users in your Google Workspace account to enable them access to your env zero organization. You can also add env zero as an application in your user application dashboard.
Self-Service Configuration Available: You can configure SAML SSO directly from your organization settings. See Self-Service SSO Integration for an overview, or Self-Service SAML Setup for step-by-step instructions.

Steps

  1. Login to your Google Workspace admin dashboard - https://admin.google.com
  2. Go to Apps > Web and mobile apps
  3. Under the Add app button dropdown select Add custom SAML app
  4. Give the app a name and set the app icon and click on the Continue button
Google Workspace app details configuration showing custom SAML app setup form
  1. Copy the SSO URL, Entity ID and download the certificate. You will need to send those over to env zero so we can set up the SAML on our side. Then click on the Continue button
  2. In the ACS URL enter the following: https://login.app.env0.com/login/callback?connection=YOUR_ENV0_ORG_ID
  3. In the Entity ID enter urn:auth0:env0:{YOUR_ENV0_ORG_ID}
  4. Check the Signed Response checkbox
  5. In the Name ID format choose Unspecified
  6. In the Name ID, choose Basic Information and Primary Email
  7. Click on the Continue button
  8. In the Attributes add the following:
Google Directory attributesApp attributes
Primary emailemail
First NamefirstName
Last NamelastName
Name
Google Workspace attributes mapping interface showing user attribute configuration for SAML
  1. In the Group membership add any Groups you would like to sync with env zero, and in the App attribute enter teams
Groups SyncingGroups will be synced each time a user logins with the following logic:
  1. env zero will create a new team if one doesn’t exists based on the group name it received from the Google Workspace.
  2. If the team exists in env zero, env zero will not create a new team.
    env zero will assign the user to all the teams in env zero based on the group names they are part of in the Google Workspace.
  3. If the user was removed from a group in the Google Workspace, env zero will remove them from the team in env zero.
  4. The names of the teams in env zero will be the same as the Group Name (including whitespaces) and not the Group Email.
  1. Click on the Finish
  2. In the User Access set the user you would like to have access to env zero
Google Workspace user access settings showing app access permissions and user assignment
  1. Navigate to your env zero organization settings and go to the SSO tab.
  2. Click on SAML and complete the self-service form with:
    • Identity Provider Single Sign-on URL (SSO URL)
    • Entity ID
    • X.509 Certificate