Setting Up WWPass SAML With Google Workspace
This guide explains how to configure Google Workspace (formerly G Suite) to use WWPass as a SAML Identity Provider (IdP) for authentication.
It covers setting up the SAML connector in the WWPass management portal, configuring SAML in the Google Admin console, exchanging metadata with WWPass, mapping user attributes, and testing the setup.
Overview
In this integration WWPass acts as the SAML Identity Provider (IdP) and Google Workspace is configured as a SAML Service Provider (SP). Users signing in to Google Workspace (or apps protected by Google Workspace SSO) will authenticate using WWPass.
Prerequisites
Before you begin, ensure you have an active Google Workspace subscription and administrator-level access to configure SAML.
You must be able to create DNS records for your Google Workspace domain or upload a verification file to your domain's web server to verify the domain with WWPass.
Step 1 — Add SAML profile in Google Workspace
-
Sign in to the Google Workspace Admin console at https://admin.google.com/.
-
Go to Security → Authentication → SSO with third‑party IdP, then click ADD SAML PROFILE.
-
Enter a name for the SSO profile (for example, "WWPass SAML").
-
In the Autofill Email section, choose Do not use login hints.
-
In the IdP details section, set the following parameters:
Parameter Value IdP Entity ID https://saml.wwpass.com Sign‑in page URL https://saml.wwpass.com/saml/sso Sign‑out page URL https://saml.wwpass.com/saml/slo Leave the Change Password URL blank. Do not upload any verification certificates at this stage.
-
Click Save.
Google Workspace will save the SAML configuration and display the SAML SSO provider details. Do not close this page; you will need the Entity ID and ACS URL shown in the SP details section later to configure the WWPass SAML Connector.
Step 2 — Configure WWPass SAML Connector
- Log in to the WWPass management portal with your WWPass Key. If this is the first time you are using the management portal, an account will be created automatically for you.
- Once logged in, click Add new Application.
- Choose a friendly name for your application so it is easy to identify later in the dashboard (for example, GW SAML (mydomain.com)), then click Next.
- Choose SAML 2.0 and click Next.
- Scroll to the Manual Configuration section and copy the Entity ID and Assertion Consumer Service (ACS) URL from the SP details on the SAML SSO Provider details page from the previous step.
- Click Create SAML integration.
- On the next page you must choose a domain for your SAML integration. This domain name will be displayed to users during authentication. For testing, you can use a technical domain name provided by WWPass. In production, your domain should match the domain used in Google Workspace. To use a real domain, choose Add new domain, enter the domain name, click Continue, and follow the instructions to complete domain verification. Once the domain is verified, you can use it with your SAML integration.
- After domain verification (or after choosing a technical domain), a SAML Identity Provider configuration page is shown.
- Click Edit settings, scroll down to Protocol Settings, and set Name ID Format to "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress".
- Check email in the Attributes -> Required Attributes section.
- Click Save settings.
- Scroll down to the IdP Certificate section and click Download certificate.
- Return to the Google SAML SSO Provider details page, open the IdP details section, and choose UPLOAD CERTIFICATE to upload the certificate you downloaded. Once the certificate is uploaded, click SAVE.
Step 3 — Configure SSO Profile Assignments
To enable users to sign in to Google Workspace with the SAML IdP you created, an SSO profile assignment should be created. Google Workspace allows assigning SSO profiles to individual users, groups, or organizational units (OUs). For testing, assign the profile to a small set of users or a test group.
Note: SSO profiles cannot be assigned to Google Workspace administrator accounts. Administrator accounts always authenticate directly with Google Workspace and can still access the Admin console if the SAML IdP is unavailable.
- Sign in to the Google Workspace Admin console at https://admin.google.com/.
- Go to Security → Authentication → SSO with third‑party IdP, then click MANAGE in the Manage SSO profile assignments section.
- Select a user, group, or organizational unit on the left, then choose the SSO profile on the right.
- Select "Have Google prompt for their username, then redirect them to this profile's IDP sign-in page" and click SAVE.
- Users in the selected scope will be redirected to the WWPass SAML IdP at their next login.
Note: You can create multiple SSO profile assignments for a single SAML IdP in Google Workspace. See Google's documentation for details.
Step 4 — Test Login
- Open an incognito browser window.
- Navigate to https://accounts.google.com/ and attempt to sign in with a user for whom the WWPass SAML IdP was assigned in the previous step.
- You should be redirected to the WWPass SAML IdP SSO page.
- Authenticate using your WWPass Key.
- If this is the first time you sign in via the WWPass SAML IdP, you will be prompted to verify your email address. Use the email address associated with the Google Workspace account.
- After successful authentication, you should be redirected back to Google and signed in.
If sign-in fails, collect the SAML response (browser SAML tracer add-on or developer tools) and inspect the Status and Assertion.
Troubleshooting tips
- Use browser SAML trace extensions (for example: SAML-tracer for Google Chrome) to capture the SAML request/response and verify fields;
- If Google shows the error page, note the exact error text and check the Admin console's SAML app logs for details.
Rollout and best practices
- Test with a small OU before enabling for the entire domain;
- Use a dedicated test user account with varied attributes to make sure mappings work consistently;
- Rotate certificates and metadata according to your security policy and update both sides.
Contact and support
If you need assistance with WWPass SAML Connector configuration, contact WWPass support at support@wwpass.com. Provide SAML logs and metadata to speed up diagnosis.