Set Up SSO with Google Workspace

This guide covers the complete SSO setup between Enpass Admin Console and Google Workspace. Follow each phase in order — you'll move between both portals during the process.

You'll need:

• Super Admin access to the Enpass Admin Console

• Admin access to the Google Workspace Admin Console

Phase 1: Start the SSO Connector in Enpass

1. Log in to the Enpass Admin Console.

2. Navigate to Settings > Single Sign-On.

3. Click Set Up to open the SAML Configuration dialog.

4. Enter a name for your configuration (e.g., Google Workspace SSO), select Google Workspace as the Identity Provider, and click Continue.

5. On the next screen, you'll see your SP Entity ID and SP Assertion Consumer Service (ACS) URL. Keep this page open — you'll need these values in Phase 2.

Phase 2: Configure the SAML App in Google Workspace

Step 1: Create a Custom SAML App

1. In the Google Workspace Admin Console, go to Menu > Apps > Web and mobile apps.

2. Click Add App > Add custom SAML app.

3. Enter an App name and optional Description. Optionally upload an app icon. Click Continue.

Step 2: Download the IdP Metadata

4. On the Google Identity Provider details page, download the IdP metadata file. You'll upload this to Enpass in Phase 3.

5. Click Continue.

Step 3: Enter Enpass SP Details

6. In the Service Provider Details window:

   • Enter the Entity ID and ACS URL copied from the Enpass Admin Console in Phase 1.

   • Check the Signed response checkbox.

   • Set the Name ID format to EMAIL and the Name ID value to Primary email.

   • Click Continue.

Step 4: Map User Attributes

7. In the Attribute Mapping step:

   • Under Google Directory attributes, select Primary Email.

   • Under App attributes, enter Email as the corresponding attribute name.

8. Click Finish.

Step 5: Enable User Access

9. On the app's overview page, click User access.

10. Assign all admins who need SSO access to the Enpass Admin Console to this application and save.

Phase 3: Finish Setup in Enpass

1. Return to the Enpass Admin Console SSO setup page (where you left off in Phase 1).

2. Upload the IdP metadata file downloaded from Google Workspace in Phase 2, or paste the metadata URL if available.

3. Click Add Configuration to save.

Test the Configuration

4. Click Test Configuration, then click Start Test. A new tab will open and run a test sign-in through Google Workspace. The tab closes automatically when the test is complete.

If the test fails, verify that the Entity ID and ACS URL in Google Workspace exactly match the values from Enpass, and that the Signed response checkbox is enabled.

Activate SSO

5. Once the test passes, click Activate to enable SSO login for Admin Console users.

Enforce SSO (Optional)

6. To make SSO the only permitted login method, enable the Enforce SSO toggle on the SSO settings page. This disables email/password login for all admins.

Related Topics

• Bypass SSO for Specific Admins