# Setting Up Google SSO This document outlines the steps required to set up Google SSO with StepSecurity. StepSecurity uses AWS Cognito as the service provider for the SSO experience. ### Setup Instructions #### Step 1: Access Google Admin Console * Log in to your Google Workspace as an Administrator. * From the left sidebar, navigate to: > Apps → Web and mobile apps

#### Step 2: Add a New Custom SAML App * Click **Add App** ➔ **Add custom SAML app**.

#### Step 3: Configure App Details * **Name** the app: `StepSecurity` * (Optional) Add a **description** and upload the **StepSecurity logo**:\ [StepSecurity Logo](https://stepsecurity-public-media.s3.us-west-2.amazonaws.com/media/step-security-logo.png)

#### Step 4: Download Google SAML Metadata * **Download the metadata** file provided during this step. * **Securely share** the metadata file with StepSecurity.

#### Step 5: Enter Service Provider Details * On the StepSecurity App navigate to Admin Console → Security & Auth → Configure SSO → Google Workspace

* Copy the values displayed there and provide them in the corresponding fields in "Service Provider Details" page

#### Step 6: Map Identity Attributes {% hint style="info" %} **Important**: If any changes are made to SSO group membership in Okta (for example, adding or removing a user from a group), the affected user must log out and log back into StepSecurity for the updated group access and role mappings to take effect immediately otherwise it will be reflected once the sso session is renewed. {% endhint %} * In the "Attribute Mapping" section: * Map **Primary Email** ➔ **email**. * Under `Group membership` add your user groups that will be assigned to this app and map it to 'Groups' attribute. This enables StepSecurity’s SCIM-like functionality — for example, you can use Google Workspace groups and map them to roles in the StepSecurity dashboard. {% hint style="danger" %} **You should only pass specific groups to the StepSecurity platform. If the app passes *****all***** group memberships, it may exceed the maximum request body size.** {% endhint %} * After completing the mapping, click **Finish** to complete app creation.Is

#### Step 7: Enable the SAML App * In the created SAML app page: * First set the app to **OFF for everyone**. * Then switch it **ON for everyone**. * Click **Save** to apply changes. #### Step 8: Verification and Finalization * On the StepSecurity App share the Email Domains and Metadata file and submit the configuration

* On the StepSecurity Security & Auth page you can test the integration

* After setup: * Users can log in by entering their email under the "**Sign in with your corporate ID**" section on the StepSecurity login page.

#### Step 9 (Optional): Access StepSecurity console directly from Google App: * To get your RelayState value go to the StepSecurity App and navigate to Admin Console → Security & Auth → Configure SSO → Microsoft Entra ID → Step 4

* In Google Admin: * Go to Apps → Web and mobile apps → StepSecurity app → Service provider details, then enter the URL under Start URL.

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.stepsecurity.io/administration/admin-console/access-control/security-and-auth/setting-up-google-sso.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.