This article is produced by scandiweb

scandiweb is the most certified Adobe Commerce (Magento) team globally, being a long-term official Adobe partner specializing in Commerce in EMEA and the Americas. eCommerce has been our core expertise for 20+ years.

How to set up SSO for Google Apps using SAML and Keycloak

Following the success of the article about Amazon AWS and Keycloak, we would like to share an article on configuring SSO access to Google Apps using SAML protocol and Keycloak as an Identity Provider.

Note: Solution outlined in the current article was developed for Keycloak V.3. Please, feel free to contact us in case you have additional questions regarding the set up, of require assistance with you Google Apps project.

Read the step-by-step guide below:

Setting up Keycloak

  1. First — create a new SAML client in Keycloak:

Google SAML client configuration in Keycloak. Google SAML client configuration in Keycloak.

I haven’t found a saml-metadata.xml file for Google as a service provider, which you can import into Keycloak, so you have to set all client options manually.

  1. After initial client setup, go to “Mappers” and create an “email” mapper:

This mapper will be used in SAML assertion to Google Apps, when SSO session between Keycloak and Google Apps will be initiated.

  1. Finally, go to “Installation” tab of the Google SAML client settings, and select:

    “Format Option” — “SAML Metadata IDPSSODescriptor”.

  2. Copy the X509 certificate, which is located between



This is the certificate which we will upload to Google Apps.

  1. Now, Google SAML client is ready for usage.

Google Apps SSO setup

For users to be able to access Google Apps using SSO and Keycloak, they’ll need to have an “email” attribute which corresponds with Google Apps user’s email address.

For example:

Keycloak user directory has a user with “email” attribute set to


For this user to be able to access your Google Apps domain using Keycloak SSO, he needs to have an Google Apps user with


email address.

To setup Google Apps SSO, go to Admin control panel for your Google Apps domain.

  1. Go to “Security” -> “Set up single sign on (SSO)”
  2. Check

    “Setup SSO with third party identity provider”


  1. In “Sign-in page URL” enter “Base URL” you’ve setup in Keycloak Google SAML client:


  2. For “Sign-out” page URL, you can set it to any URL you need.

In my case, I’ve set it to


  1. Upload your X509 certificate from Google SAML client from Keycloak.
  2. Also, check

    “Use a domain specific issuer”


This checkbox will enable SSO specifically for your Google Apps domain.

Goole Apps SAML configuration.Goole Apps SAML configuration.

And, that is it!

Now, when you go to your Google SAML client in Keycloak, and press the “Base URL”, for example:


You should be redirected to Keycloak authentication portal, and after you authenticate, you’ll be redirected to your Google Apps account.

Also, you can access specific Google Apps using SSO, directly from web browser.

For example:

If you enter in location bar —


You’ll be redirected to Keycloak for authentication, and after you authenticate, you’ll be redirected to specific google app.

Still having trouble setting SSO authentification for Google Apps? Looking for tech assistance? You’ve come to the right place. Scandiweb is the most certified Magento agency in the world with more than a decade of experience under its belt. We’re here to help, so if you have any questions – drop us a line at [email protected] or check out our Technology services page.

Related articles:

Need help with your eCommerce?

Get in touch for a free consultation to discuss your business and explore how we can help.

Your request will be processed by

If you enjoyed this post, you may also like