Skip to content
Probo Logo Probo Documentation

Google Workspace SSO

This guide walks you through setting up SAML Single Sign-On between Google Workspace (formerly G Suite) and Probo.

Prerequisites

Section titled “Prerequisites”
  • Google Workspace administrator access
  • Probo organization administrator access
  • Your Probo domain (e.g., probo.example.com)
  • Access to your DNS settings for domain verification

Prepare Probo Information

Section titled “Prepare Probo Information”

Before configuring Google Workspace, gather these Probo service provider details:

FieldValue
ACS URLhttps://your-probo-domain.com/auth/saml/acs
Entity IDhttps://your-probo-domain.com/auth/saml/metadata
Start URLhttps://your-probo-domain.com (optional)

Replace your-probo-domain.com with your actual Probo domain.

Domain Verification

Section titled “Domain Verification”

Before configuring anything else, you must verify domain ownership:

  1. Log in to Probo as an organization administrator
  2. Go to Organization SettingsAuthenticationSAML
  3. Click Verify Domain (if no configurations exist yet, this option will be available)
  4. Copy the provided TXT record value
  5. Add a TXT record to your domain’s DNS settings: 
    Type: TXT
    Name: _probo-domain-verification.your-company.com
    Value: [Verification token from Probo]
    TTL: 300 (or your DNS provider's default)
  6. Wait for DNS propagation (usually 5-15 minutes)
  7. In Probo, click Complete Verification
  8. If successful, the domain status will show as “Verified”

Configure Google Workspace

Section titled “Configure Google Workspace”

  1. Sign in to the Google Admin Console

  2. Go to AppsWeb and mobile apps

  3. Click Add appAdd custom SAML app

  4. Configure the app details:

    FieldValue
    App nameProbo
    DescriptionProbo Compliance Management Platform
    Upload logoDownload from GitHub (optional)

  5. Click Continue

  6. Save the Google Identity Provider details that appear (you’ll need these for Probo configuration):

    FieldExample ValueNotes
    SSO URLhttps://accounts.google.com/o/saml2/idp?idpid=XXXXXXXXXCopy this exact URL
    Entity IDhttps://accounts.google.com/o/saml2?idpid=XXXXXXXXXCopy this exact URL
    CertificateX.509 Certificate textDownload the certificate or copy the X.509 certificate text

  7. Click Continue

  8. Configure the service provider details:

    FieldValue
    ACS URLhttps://your-probo-domain.com/connect/saml/consume
    Entity IDhttps://your-probo-domain.com/connect/saml/metadata
    Start URL[SAML Configuration ID] (optional - see note below)
    Name ID formatEMAIL
    Name IDBasic Information > Primary email

    Important: The Start URL is optional but if you want to support IdP-initiated login flows, it MUST be set to your exact SAML configuration ID (not a placeholder). If set incorrectly, SSO will not work. You’ll get this ID after creating the SAML configuration in Probo.

  9. Click Continue

  10. Configure the attribute mappings:

    Google Directory attributesApp attributes
    Basic Information > Primary emailemail
    Basic Information > First namefirstName
    Basic Information > Last namelastName

  11. Click Finish

  12. In the app list, click on your Probo app

  13. Click User access

  14. Select ON for everyone or configure specific organizational units

  15. Click Save

Configure Probo

Section titled “Configure Probo”

  1. Log in to Probo as an organization administrator

  2. Go to Organization SettingsAuthenticationSAML

  3. Click Add SAML Configuration

  4. Configure the basic settings:

    FieldValueNotes
    Email Domainyour-company.comYour organization’s email domain
    Enforcement PolicyOPTIONALRecommended for initial setup

  5. Configure the Identity Provider settings with values from Google Workspace:

    FieldValueNotes
    IdP Entity IDhttps://accounts.google.com/o/saml2?idpid=XXXXXXXXXCopy from Google Workspace setup
    IdP SSO URLhttps://accounts.google.com/o/saml2/idp?idpid=XXXXXXXXXCopy from Google Workspace setup
    IdP Certificate[X.509 Certificate text]Paste the certificate from Google

  6. Configure the attribute mappings:

    FieldValueNotes
    Email AttributeemailMaps to user email
    First Name AttributefirstNameMaps to user first name
    Last Name AttributelastNameMaps to user last name
    Role Attribute[Leave empty]Unless you’ve configured custom attributes

  7. Configure user settings:

    FieldValueNotes
    Auto SignupEnabledAllows new users to sign up automatically via SSO

  8. Click Save Configuration (the configuration will be created but not yet enabled)

  9. Copy the SAML Configuration ID - you’ll see a unique configuration ID (e.g., saml_config_1a2b3c4d) that you’ll need for updating the Start URL in Google Workspace

Update Google Workspace Start URL

Section titled “Update Google Workspace Start URL”

Now that you have the SAML configuration ID from Probo:

  1. Return to Google Admin Console
  2. Go to AppsWeb and mobile appsProbo
  3. Click SAML attribute mapping
  4. Update the Start URL field with your SAML configuration ID (e.g., saml_config_1a2b3c4d)
  5. Click Save

This enables IdP-initiated login flows, allowing users to click on Probo from their Google Workspace app launcher.

Troubleshooting

Section titled “Troubleshooting”

”App isn’t verified” Error

Section titled “”App isn’t verified” Error”
  • Cause: Google Workspace app not enabled for users
  • Solution: Enable the app for all users or specific organizational units in Google Admin Console

”Access blocked” Error

Section titled “”Access blocked” Error”
  • Cause: User not in allowed organizational units
  • Solution: Check Google Workspace user access settings and ensure users are in the correct organizational units

”Invalid SAML Response” Error

Section titled “”Invalid SAML Response” Error”
  • Cause: Incorrect ACS URL or Entity ID configuration
  • Solution: Verify URLs match exactly between Google Workspace and Probo:
    • ACS URL: https://your-probo-domain.com/connect/saml/consume
    • Entity ID: https://your-probo-domain.com/connect/saml/metadata

Attributes Not Mapping

Section titled “Attributes Not Mapping”
  • Cause: Incorrect attribute names in Probo configuration
  • Solution: Use exact attribute names: email, firstName, lastName

Debugging Steps

Section titled “Debugging Steps”

Check Google Workspace Logs

Section titled “Check Google Workspace Logs”
  1. Go to Google Admin Console → ReportingAudit and investigationSAML apps
  2. Look for failed authentication attempts
  3. Check error messages and timestamps for debugging clues

Verify Certificate Format

Section titled “Verify Certificate Format”

Ensure the certificate is properly formatted without line breaks:

-----BEGIN CERTIFICATE-----
[Certificate content without line breaks]
-----END CERTIFICATE-----

Test Metadata URL

Section titled “Test Metadata URL”

If using metadata URL, test it in a browser to ensure it returns valid XML:

https://accounts.google.com/o/saml2/idp?idpid=XXXXXXXXX

Should return valid XML metadata response.

Advanced Configuration

Section titled “Advanced Configuration”

Custom Attributes

Section titled “Custom Attributes”

To map additional Google Workspace attributes:

  1. In Google Admin Console, go to DirectoryUsers
  2. Add custom attributes to user profiles
  3. In Probo SAML configuration, map these custom attributes

Multiple Domains

Section titled “Multiple Domains”

To support multiple email domains:

  1. Create separate SAML configurations for each domain
  2. Use the same Google Workspace IdP settings
  3. Verify each domain separately

Organizational Units

Section titled “Organizational Units”

Restrict SSO to specific organizational units in Google Workspace:

  1. In the Probo app settings, select Limited access
  2. Choose specific organizational units
  3. Only users in those units will be able to use SSO