Skip to main content

SSO with Google Workspace

This guide explains how to set up Single Sign-On (SSO) with Google Workspace in Certifier.

Caroline Tyrko avatar
Written by Caroline Tyrko
Updated this week

💡 Heads-up: SSO is enforced per organization. After we enable SSO for your organization, sign-in becomes SSO-only. The only exception is the organization owner, who retains previous login methods to avoid being locked out.

Existing users are deleted or unlinked from your workspaces.

From then on, you can invite only users managed through your company's SSO provider (in this case, Google Workspace).

What you’ll do in Google Admin console (Steps 1–6)

Step 1 — Create a custom SAML app

  1. Open Admin console → Apps → Web and mobile apps.

  2. Add app → Add custom SAML app.

  3. Give the app a recognizable name (e.g., Certifier) and proceed to the next step.

Step 2 — Get IdP metadata

On Google Identity Provider details, click DOWNLOAD METADATA button and save the XML (you’ll send it to us in Step 7).

Step 3 — Service provider details (important)

Fill in exactly:

  • ACS URL (Single sign-on URL): https://auth.certifier.io/saml2/idpresponse

  • Entity ID (Audience): urn:amazon:cognito:sp:eu-west-1_OetDJugrc

  • Start URL: (leave empty)

  • Name ID format: Email

  • Name ID: Primary email

Step 4 — Attribute mapping

Add the following mappings:

  • First namefirstName

  • Last namelastName

  • Primary emailemail

Step 5 — User access

Assign the app to users/groups who should access Certifier (entire org or specific groups).

⚠️ Remember to assign users before inviting them in the Certifier app.

If a user is added to the Certifier SAML app in Google Admin console but they are not invited in Team Members section of the Certifier app by the time they try to log in, the log in attempt will fail.

Step 6 — Save

Save your SAML app.

Send us your metadata

Step 7 — Share your IdP metadata

Send the Metadata XML (from Step 2) to Certifier Support. We’ll take it from here.

What we (Certifier) do next

Step 8 — Certifier completes the setup

Once we receive your metadata, we finish the configuration on our side and notify you when it’s ready.

Inviting & signing in

Step 9 — Invites in Certifier

Before inviting anyone, ensure they’re assigned to the Google SAML app (Step 5).

When ready, invite your users through the Team Members section of the Certifier app.

In SSO-enforced orgs, only SSO users can be invited.

Step 10 — User sign-in flow

Users will be able to sign in via Sign in with SSO in Certifier app login screen:

Click Continue with SSO to open your company’s login page. After you sign in, you’ll return to Certifier already signed in.

And we're done!

Quick reference (copy/paste)

Google Admin → Service provider details

Single sign-on URL (ACS): <https://auth.certifier.io/saml2/idpresponse> Entity ID (Audience):     urn:amazon:cognito:sp:eu-west-1_OetDJugrc Name ID format:           Email Name ID:                  Primary email

Google Admin → Attribute mapping

email     = Primary email firstName = First name lastName  = Last name

Send to Certifier Support

  • IdP Metadata XML

Troubleshooting tips

  • User can’t sign in? Confirm they’re assigned to the SAML app in Google (Step 5), then re-try.

  • Name missing after first login? Ensure Google Directory has First/Last name populated and the attributes are properly mapped.

  • “No SSO provider for this email”: Invite the user to a workspace in the Team Members section and ensure the email matches what’s in Google Workspace.

Did this answer your question?