💡 Heads-up: SSO is enforced per organization. After we enable SSO for your organization, sign-in becomes SSO-only. The only exception is the organization owner, who retains previous login methods to avoid being locked out.
Existing users are deleted or unlinked from your workspaces.
From then on, you can invite only users managed through your company's SSO provider (in this case, Google Workspace).
What you’ll do in Google Admin console (Steps 1–6)
Step 1 — Create a custom SAML app
Open Admin console → Apps → Web and mobile apps.
Add app → Add custom SAML app.
Give the app a recognizable name (e.g., Certifier) and proceed to the next step.
Step 2 — Get IdP metadata
On Google Identity Provider details, click DOWNLOAD METADATA button and save the XML (you’ll send it to us in Step 7).
Step 3 — Service provider details (important)
Fill in exactly:
ACS URL (Single sign-on URL):
https://auth.certifier.io/saml2/idpresponse
Entity ID (Audience):
urn:amazon:cognito:sp:eu-west-1_OetDJugrc
Start URL: (leave empty)
Name ID format: Email
Name ID: Primary email
Step 4 — Attribute mapping
Add the following mappings:
First name →
firstName
Last name →
lastName
Primary email →
email
Step 5 — User access
Assign the app to users/groups who should access Certifier (entire org or specific groups).
⚠️ Remember to assign users before inviting them in the Certifier app.
If a user is added to the Certifier SAML app in Google Admin console but they are not invited in Team Members section of the Certifier app by the time they try to log in, the log in attempt will fail.
Step 6 — Save
Save your SAML app.
Send us your metadata
Step 7 — Share your IdP metadata
Send the Metadata XML (from Step 2) to Certifier Support. We’ll take it from here.
What we (Certifier) do next
Step 8 — Certifier completes the setup
Once we receive your metadata, we finish the configuration on our side and notify you when it’s ready.
Inviting & signing in
Step 9 — Invites in Certifier
Before inviting anyone, ensure they’re assigned to the Google SAML app (Step 5).
When ready, invite your users through the Team Members section of the Certifier app.
In SSO-enforced orgs, only SSO users can be invited.
Step 10 — User sign-in flow
Users will be able to sign in via Sign in with SSO in Certifier app login screen:
Click Continue with SSO to open your company’s login page. After you sign in, you’ll return to Certifier already signed in.
And we're done!
Quick reference (copy/paste)
Google Admin → Service provider details
Single sign-on URL (ACS): <https://auth.certifier.io/saml2/idpresponse> Entity ID (Audience): urn:amazon:cognito:sp:eu-west-1_OetDJugrc Name ID format: Email Name ID: Primary email
Google Admin → Attribute mapping
email = Primary email firstName = First name lastName = Last name
Send to Certifier Support
IdP Metadata XML
Troubleshooting tips
User can’t sign in? Confirm they’re assigned to the SAML app in Google (Step 5), then re-try.
Name missing after first login? Ensure Google Directory has First/Last name populated and the attributes are properly mapped.
“No SSO provider for this email”: Invite the user to a workspace in the Team Members section and ensure the email matches what’s in Google Workspace.