> ## Documentation Index
> Fetch the complete documentation index at: https://docs.sevalla.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Google Workspace SAML SSO

> Learn how to set up SAML SSO in Sevalla with Google Workspace.

Google Workspace is an Identity Provider (IdP) that enables secure single sign-on (SSO), allowing your company's users to access multiple applications with one login.

With Security Assertion Markup Language (SAML) SSO, employees sign in once using their company credentials (typically email and password). The IdP, such as Google Workspace, verifies their identity and grants seamless, secure access to all connected services, without requiring separate logins for each application.

Company owners or IT administrators can link their organization’s email domain (e.g., @[mycompany.com](http://mycompany.com)) to the IdP so that anyone with a company email address is automatically recognized and can securely sign in to SAML-enabled tools.

Using Sevalla SAML SSO, you can connect Google Workspace to Sevalla by creating a SAML application within Google Workspace, verifying your company’s email domain, and adding the required Google Workspace details in Sevalla. This allows your team to log in with their existing company credentials, eliminating the need to create or manage separate Sevalla accounts.

<Info>
  When using SAML SSO with Sevalla, login must always be initiated from Sevalla. Logging in directly from your Identity Provider (IdP) is not supported.

  IdPs only support one active session per browser. If you have multiple Google Workspace accounts and are logged into one, attempting to log into another through Sevalla will result in an error. To switch accounts, log out of Google Workspace or use your browser’s Incognito/Private mode.
</Info>

## Enable SSO in Sevalla

When you set up SAML SSO, you can navigate away from the SSO setup at any stage to store your progress and return later.

In Sevalla, go to your **Company settings** > **Single sign-on**, and click **Enable**.

<Frame caption="Enable SSO in Sevalla.">
  <img className="block dark:hidden" alt="Enable SSO" src="https://mintcdn.com/sevalla/znhzGue4KWYN3uG0/images/enable-sso-light.png?fit=max&auto=format&n=znhzGue4KWYN3uG0&q=85&s=c398cd2b338da89076717091f38bedce" width="3374" height="1800" data-path="images/enable-sso-light.png" />

  <img className="hidden dark:block" alt="Enable SSO" src="https://mintcdn.com/sevalla/znhzGue4KWYN3uG0/images/enable-sso-dark.png?fit=max&auto=format&n=znhzGue4KWYN3uG0&q=85&s=d18cb436015197af6d85ab284e84c7bd" width="3370" height="1798" data-path="images/enable-sso-dark.png" />
</Frame>

Read through the introduction, which explains how SSO will be set up, and click **Continue**.

<Frame caption="Introduction to the steps required to set up SSO.">
  <img className="block dark:hidden" alt="Introduction to the steps required to set up SSO" src="https://mintcdn.com/sevalla/qvdUBAuQue_4UYIa/images/sso-intro-light.png?fit=max&auto=format&n=qvdUBAuQue_4UYIa&q=85&s=8455fa4a6402a82184990f89d0d727c7" width="2564" height="1544" data-path="images/sso-intro-light.png" />

  <img className="hidden dark:block" alt="Introduction to the steps required to set up SSO" src="https://mintcdn.com/sevalla/qvdUBAuQue_4UYIa/images/sso-intro-dark.png?fit=max&auto=format&n=qvdUBAuQue_4UYIa&q=85&s=06df698980233807f30719682814092a" width="2570" height="1558" data-path="images/sso-intro-dark.png" />
</Frame>

The next page provides all the information you need to set up your SAML app within Google Workspace.

## Create the app in Google Workspace

In Sevalla, the **Create SAML app** tab provides all the information you need to set up your SAML app within Google Workspace. The following steps explain where to add this information.

<Warning>
  When using SAML SSO with Sevalla, all logins must be initiated directly from Sevalla. Logging in from your Identity Provider (IdP) dashboard is not supported. For this reason, you may want to hide the Sevalla app from users’ IdP dashboards to avoid confusion.
</Warning>

<Frame caption="Information to create the SAML app at your IdP.">
  <img className="block dark:hidden" alt="Information to create the SAML app at your IdP" src="https://mintcdn.com/sevalla/qvdUBAuQue_4UYIa/images/sso-create-app-light.png?fit=max&auto=format&n=qvdUBAuQue_4UYIa&q=85&s=3df84e52792cd16e9c73d651a51ce2e9" width="2568" height="2332" data-path="images/sso-create-app-light.png" />

  <img className="hidden dark:block" alt="Information to create the SAML app at your IdP" src="https://mintcdn.com/sevalla/E2LMVE0PTfkyQPVl/images/sso-create-app-dark.png?fit=max&auto=format&n=E2LMVE0PTfkyQPVl&q=85&s=7b57f5b0ec84b4ac11032677ad92e977" width="2572" height="2340" data-path="images/sso-create-app-dark.png" />
</Frame>

Log in to Google Workspace as a user with admin access, open the **Google Apps** menu, and select the **Admin** app.

<Frame caption="Open the Admin app in Google.">
  <img src="https://mintcdn.com/sevalla/E2LMVE0PTfkyQPVl/images/saml-sso-google-admin.png?fit=max&auto=format&n=E2LMVE0PTfkyQPVl&q=85&s=98e4eca6446115ec092d07cd65909cdd" alt="Saml Sso Google Admin" width="2638" height="580" data-path="images/saml-sso-google-admin.png" />
</Frame>

Select **Web and mobile apps**, and then click **Add app** > **Add custom SAML app**.

<Frame caption="Add a custom SAML app in Google.">
  <img src="https://mintcdn.com/sevalla/E2LMVE0PTfkyQPVl/images/saml-sso-google-add-saml-app.png?fit=max&auto=format&n=E2LMVE0PTfkyQPVl&q=85&s=1ef4346adc31e9043ba0775664fe966d" alt="Saml Sso Google Add Saml App" width="2796" height="818" data-path="images/saml-sso-google-add-saml-app.png" />
</Frame>

In the **App name**, enter the **App name** from Sevalla. You can also download the **App icon** from Sevalla and upload this to the **App Icon**, and add a **Description** if required. Click **Continue**.

<Frame caption="Enter the app details in Google.">
  <img src="https://mintcdn.com/sevalla/E2LMVE0PTfkyQPVl/images/saml-sso-google-app-details.png?fit=max&auto=format&n=E2LMVE0PTfkyQPVl&q=85&s=0be7b70982853264b82aa8a8e929edd6" alt="Saml Sso Google App Details" width="2816" height="1722" data-path="images/saml-sso-google-app-details.png" />
</Frame>

## Sevalla setup

In Sevalla, on **Create SAML app**, click **Continue** so that you are on the **Sevalla setup** page. We will return to the **Create SAML app** tab in the next step when adding the service provider details to Google Workspace.

### Email domain

In the **Domain name**, enter the email domain users will use to sign in using SAML SSO, and click **Add domain**.

Only Sevalla accounts with an email address matching the verified domain can authenticate via SAML. For example, if SAML is enabled for `example.com`, only users with an `@example.com` email address will be able to sign in for that company.

<Info>
  Each email address can only be linked to one SAML configuration in Sevalla. This means a domain (e.g., `example.com`) can be associated with only one company at a time. Similarly, each Sevalla user can use SAML authentication for a single company only.
</Info>

If the domain has already been verified in Sevalla through DNS management or as a site domain, it will automatically be verified. If it hasn’t, you’ll be prompted to add a TXT record to your DNS management service to confirm domain ownership.

<Frame caption="Add the TXT record to your DNS to verify ownership.">
  <img className="block dark:hidden" alt="Add the TXT record to your DNS to verify ownership" src="https://mintcdn.com/sevalla/qvdUBAuQue_4UYIa/images/sso-verify-domain-light.png?fit=max&auto=format&n=qvdUBAuQue_4UYIa&q=85&s=ac2d73377d2fa61df230882f43e8a3dd" width="1044" height="806" data-path="images/sso-verify-domain-light.png" />

  <img className="hidden dark:block" alt="Add the TXT record to your DNS to verify ownership" src="https://mintcdn.com/sevalla/qvdUBAuQue_4UYIa/images/sso-verify-domain-dark.png?fit=max&auto=format&n=qvdUBAuQue_4UYIa&q=85&s=27431c552c5c8c7177aa1e39a53acb49" width="1052" height="814" data-path="images/sso-verify-domain-dark.png" />
</Frame>

Because DNS changes can take time to propagate, you can navigate away from the SSO setup to store your progress and return later.

### Set up Sevalla SAML

In Google Workspace, the **Google Identity Provider details** tab provides all the information you need to set up SAML in Sevalla.

<Frame caption="Google Identity Provider details to set up the Sevalla app.">
  <img src="https://mintcdn.com/sevalla/E2LMVE0PTfkyQPVl/images/saml-sso-google-idp-details.png?fit=max&auto=format&n=E2LMVE0PTfkyQPVl&q=85&s=6f808a7399a2d3b508240594b9edac02" alt="Saml Sso Google Idp Details" width="2488" height="2146" data-path="images/saml-sso-google-idp-details.png" />
</Frame>

In Sevalla, within the Single sign-on **Sevalla setup** tab, complete the fields as follows:

* **SSO URL:** Copy and paste the **SSO URL** from Google Workspace.
* **Entity ID:** Copy and paste the **Entity ID** from Google Workspace.
* **Public certificate:** Copy and paste the contents of the **Certificate** from Google Workspace.

Click **Back**.

## Add the service provider details in Google Workspace

In Sevalla, within **Single sign-on**, ensure you are on the **Create SAML app** tab.

Within Google Workspace, click **Continue** to the **Service provider details** tab and complete as follows:

* **ACS URL:** Copy and paste the **SSO/ACS URL** from Sevalla.
* **Entity ID:** Copy and paste the **Entity ID** from Sevalla.
* **Start URL:** Copy and paste the **Start URL** from Sevalla.
* **Signed response:** Select this option.
* **Name ID format:** EMAIL.
* **Name ID:** Basic Information > Primary email.

Click **Continue**.

<Frame caption="Enter the service provider details from Sevalla into Google.">
  <img src="https://mintcdn.com/sevalla/E2LMVE0PTfkyQPVl/images/saml-sso-google-service-provider-details.png?fit=max&auto=format&n=E2LMVE0PTfkyQPVl&q=85&s=3d5bd6908ce4f5e1a4225513d5aaff9c" alt="Saml Sso Google Service Provider Details" width="2742" height="1886" data-path="images/saml-sso-google-service-provider-details.png" />
</Frame>

## Map your Google Workspace attributes

Within **Attribute mapping**, you can add the first name, last name, and email to the login credentials. Complete these as follows, and click **ADD MAPPING** after each entry:

| **Google directory attributes** | **App attributes** |
| ------------------------------- | ------------------ |
| Fiest name                      | firstName          |
| Last name                       | lastName           |
| Primary email                   | email              |

Click **Finish**.

<Frame caption="Map the first name, last name, and email in Google to the Sevalla fields.">
  <img src="https://mintcdn.com/sevalla/E2LMVE0PTfkyQPVl/images/saml-sso-google-attribute-mapping.png?fit=max&auto=format&n=E2LMVE0PTfkyQPVl&q=85&s=622dcad218aea1ae4c7112ef17a7d6c1" alt="Saml Sso Google Attribute Mapping" width="2796" height="1952" data-path="images/saml-sso-google-attribute-mapping.png" />
</Frame>

## Set up user access to the Google Workspace app

In Google Workspace, in the Admin app, go to **Apps** > **Web and mobile apps**, select the Sevalla application, and click **User access**.

<Frame caption="Select User access on the Sevalla application in Google Workspace.">
  <img src="https://mintcdn.com/sevalla/E2LMVE0PTfkyQPVl/images/saml-sso-google-user-access.png?fit=max&auto=format&n=E2LMVE0PTfkyQPVl&q=85&s=8e3e345c0ac719fe0a6604e2ce2a8190" alt="Saml Sso Google User Access" width="2488" height="1204" data-path="images/saml-sso-google-user-access.png" />
</Frame>

Select the **Group(s)** or **Organisational unit(s)** you want to grant access to Sevalla via SAML. Then select **ON** or **ON for everyone** and click **SAVE**. For more information about Groups and Organisational units, refer to [Google Workspace Admin Help](https://support.google.com/a?sjid=10187148707879574500-EU#topic=4388346).

<Frame caption="Select the Group(s) or Organisational unit(s) you want to grant access to Sevalla via SAML.">
  <img src="https://mintcdn.com/sevalla/E2LMVE0PTfkyQPVl/images/saml-sso-google-change-user-access.png?fit=max&auto=format&n=E2LMVE0PTfkyQPVl&q=85&s=f6a2c1d7b5d4b98e23995ead13853ba7" alt="Saml Sso Google Change User Access" width="2488" height="1008" data-path="images/saml-sso-google-change-user-access.png" />
</Frame>

To test authentication, make sure the Sevalla user account you’re signed in with is assigned.

## Test the authentication in Sevalla

You cannot enable SAML SSO within Sevalla without first testing the authentication.

In Sevalla, within Single sign-on, click **Continue** until you are on the **Test and finish** tab, and click **Test authentication**.

A notification appears if the test was successful or if the test fails.

If the test fails, click **Back** and check your SAML settings within your IdP and within Sevalla.

If the test is successful and you want to enable SAML, click **Save and set SSO live**.

<Frame caption="Test your SSO setup and set SSO live.">
  <img className="block dark:hidden" alt="Test your SSO setup and set SSO live" src="https://mintcdn.com/sevalla/qvdUBAuQue_4UYIa/images/sso-test-finish-light.png?fit=max&auto=format&n=qvdUBAuQue_4UYIa&q=85&s=58ab5bb43e02dd0016359b323a5d94a1" width="2566" height="1410" data-path="images/sso-test-finish-light.png" />

  <img className="hidden dark:block" alt="Test your SSO setup and set SSO live" src="https://mintcdn.com/sevalla/qvdUBAuQue_4UYIa/images/sso-test-finish-dark.png?fit=max&auto=format&n=qvdUBAuQue_4UYIa&q=85&s=847e7226d8a9e1c76a56dca41bf650b5" width="2572" height="1418" data-path="images/sso-test-finish-dark.png" />
</Frame>

Your Sevalla company users will now be able to sign in with SAML SSO or by entering their username and password. Users who sign in through an IdP are not required to complete Sevalla's 2FA, as authentication is handled directly by the IdP.

If you want to force users to sign on via SAML, you can enable Mandatory SSO and add Exceptions. You can also enable JIT provisioning to allow users authorized by your IdP to access your Sevalla company without requiring an invitation.

<Frame caption="Sign in to Sevalla with SAML SSO.">
  <img className="block dark:hidden" alt="Sign in to Sevalla with SAML SSO" src="https://mintcdn.com/sevalla/qvdUBAuQue_4UYIa/images/sso-sign-in-light.png?fit=max&auto=format&n=qvdUBAuQue_4UYIa&q=85&s=96f246d159744eb57da7d122aa9a715e" width="790" height="1276" data-path="images/sso-sign-in-light.png" />

  <img className="hidden dark:block" alt="Sign in to Sevalla with SAML SSO" src="https://mintcdn.com/sevalla/qvdUBAuQue_4UYIa/images/sso-sign-in-dark.png?fit=max&auto=format&n=qvdUBAuQue_4UYIa&q=85&s=17186899f4184229d734993b4c54c76b" width="790" height="1274" data-path="images/sso-sign-in-dark.png" />
</Frame>

## Change the session duration

Your Identity Provider (IdP) determines how long your SSO session remains active and when it expires. If your IdP doesn’t specify a session duration, Sevalla defaults to a 24-hour session.

When your SSO session expires, you’ll be logged out of SSO. If you’re working within a company that uses SSO, you’ll be prompted to reauthenticate. If you have access to multiple companies in Sevalla, you’ll remain logged in overall but will need to reauthenticate before accessing any company that requires SSO.

For details on adjusting session duration, refer to the [Google Workspace Admin Help](https://support.google.com/a/answer/7576830?sjid=15638353417037270933-EU).
