Google Workspace SSO Setup
Configure SAML-based Single Sign-On with Google Workspace (formerly G Suite).
Prerequisites
- Google Workspace account with Super Admin access
- Propper organization admin access
- Users must have Google Workspace accounts in your organization
Step 1: Create a Custom SAML App
- Sign in to the Google Admin Console
- Navigate to Apps > Web and mobile apps
- Direct link: Web and mobile apps
- Click Add app > Add custom SAML app
- Enter an app name (e.g., "Propper") and optionally upload a logo
- Click Continue
Step 2: Download IdP Metadata
On the Google Identity Provider details page, you'll see your IdP information:
- Copy and save the following values:
- SSO URL - You'll need this for Propper
- Entity ID - You'll need this for Propper
- Click Download Certificate to save the X.509 certificate
- Alternatively, click Download Metadata to get the XML file
- Click Continue
Keep this information secure. The certificate is used to verify the authenticity of SAML responses.
Step 3: Configure Service Provider Details
Enter the following Propper SP details:
| Field | Value |
|---|---|
| ACS URL | https://auth.propper.ai/saml/acs |
| Entity ID | urn:propper:sp:auth |
| Start URL | https://app.propper.ai/login (optional) |
| Name ID format | |
| Name ID | Basic Information > Primary email |
The Start URL is optional and specifies where users land after IdP-initiated login.
Click Continue
Step 4: Configure Attribute Mapping
Map Google user attributes to Propper attributes:
- Click Add Mapping for each attribute below:
| Google Directory Attribute | App Attribute |
|---|---|
| Primary email | email |
| First name | firstName |
| Last name | lastName |
Optional: Group Membership (for Role Mapping)
To enable group-based role assignment:
- Click Add Mapping
- Select Group membership as the Google Directory attribute
- Enter
groupsas the App attribute - Configure which groups to include
Group membership mapping requires a Google Workspace Business, Enterprise, or Education edition.
Click Finish
Step 5: Enable the App for Users
By default, the app is off for all users. You need to enable it:
- In the app settings, find the User access section
- Click on User access or the status indicator
- Choose one of the following:
- ON for everyone - All users in your organization can use SSO
- ON for selected organizational units - Only specific OUs can use SSO
- ON for selected groups - Only specific groups can use SSO
- Click Save
For initial testing, enable SSO for a small group of users before rolling out to the entire organization.
Step 6: Configure Propper
- Log in to Propper as an organization admin
- Go to Settings > Security > SSO
- Click Configure SSO or Edit Configuration
- Select Google Workspace as the provider
Enter IdP Details
Using the information from Step 2:
| Propper Field | Google Value |
|---|---|
| IdP Entity ID | Entity ID from Step 2 |
| SSO URL | SSO URL from Step 2 |
| Certificate | Contents of the downloaded certificate file |
Open the downloaded certificate file in a text editor and copy the entire contents, including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines.
- Click Save Configuration
Step 7: Test the Connection
- In Propper SSO settings, click Test Connection
- A new window will open with the Google login page
- Sign in with a user who has access to the SAML app
- If successful, you'll be redirected back to Propper
Test in an incognito/private browser window to ensure you're testing a fresh authentication flow.
Testing IdP-Initiated Login
You can also test login starting from Google:
- Go to myapps.google.com
- Find the Propper app tile
- Click it to initiate SSO login
Optional: Enable JIT Provisioning
To automatically create Propper accounts for new SSO users:
- In Propper SSO settings, enable Just-In-Time Provisioning
- Select a Default Role for new users
- Optionally, configure Allowed Domains to restrict which email domains can be provisioned
- If using group claims, configure Role Mappings to assign roles based on Google groups
Optional: Enforce SSO
To require SSO for all users:
- First, verify your email domain in Propper
- Enable SSO Enforcement for the verified domain
- Add admin email addresses to the Bypass List to prevent lockout
Always add at least one admin to the bypass list before enabling enforcement.
Troubleshooting
Error: "This app is turned off"
- The SAML app hasn't been enabled for the user
- Go to Admin Console > Apps > Web and mobile apps > [Your App] > User access
- Enable the app for the user's organizational unit or group
Error: Invalid Signature
- The certificate in Propper may be outdated
- Download the latest certificate from Google Admin Console
- Update the certificate in Propper SSO settings
Error: User attribute missing
- Ensure all required attributes are mapped in Step 4
- Verify the user has values for First name and Last name in Google Workspace
- Check that Primary email is set correctly
Error: Audience/Entity ID mismatch
- Verify the Entity ID in Google exactly matches
urn:propper:sp:auth - Check for extra spaces or case mismatches
Error: Reply URL mismatch
- Verify the ACS URL exactly matches
https://auth.propper.ai/saml/acs - Ensure there are no typos
Users don't see the app in their launcher
- The app may not be enabled for their organizational unit
- Check the User access settings in Admin Console
- It can take up to 24 hours for changes to propagate
Error: "SAML response was invalid"
- Check that the Name ID format is set to EMAIL
- Verify the Name ID source is set to Primary email
- Ensure the certificate hasn't expired
Certificate Rotation
Google Workspace certificates expire periodically. To rotate:
- Go to Admin Console > Apps > Web and mobile apps > [Your App]
- Download the new certificate
- Update the certificate in Propper SSO settings
- Test the connection to verify the new certificate works
Google typically provides advance notice before certificates expire. Set a calendar reminder to rotate certificates before expiration.