Google Workspace
This guide covers how to configure Google Workspace ↗ as a SAML application in Cloudflare Zero Trust.
- An identity provider configured in Cloudflare Zero Trust
- Admin access to a Google Workspace account
In Zero Trust ↗, go to Access > Applications.
Select SaaS application.
Fill in the following information:
- Application: Google.
- Entity ID: Use the value provided to you by Google when configuring your SAML SSO provider ↗.
- Assertion Consumer Service URL:
https://www.google.com/a/<your_domain.com>/acs, where
<your_domain.com>is your Google Workspace domain.
- Name ID Format: Email.
Create an Access policy for your application. For example, you could allow users with an
@your_domain.comemail address.
Copy the SSO endpoint, Access Entity ID or Issuer, and Public key. These values will be used to configure Google Workspace.
Save the application.
Copy and then paste your Public key into a text editor.
Wrap the certificate in
-----BEGIN CERTIFICATE-----and
-----END CERTIFICATE-----. For example,
-
Set the file extension as
.crtand save.
- Log in to your Google Admin console ↗.
- Go to Security > Authentication > SSO with third party IdP.
- Select Third-party SSO profile for your organization.
- Enable Set up SSO with third-party identity provider.
- Fill in the following information:
- Sign-in page URL: Copy and then paste your SSO endpoint from Zero Trust.
- Sign-out page URL:
https://<team-name>.cloudflareaccess.com/cdn-cgi/access/logout, where
<team-name>is your Zero Trust team name.
- Verification certificate: Upload the certificate file containing your public key.
- (Optional) Enable Use a domain specific issuer. If you select this option, Google will send an issuer specific to your Google Workspace domain (
google.com/a/<your_domain.com>instead of the standard
google.com).
- In your Google Admin console ↗, go to Apps > Google Workspace > Gmail > Setup.
- Copy your Gmail Web address.
- Open an incognito browser window and go to your Gmail web address (for example,
https://mail.google.com/a/<your_domain.com>).
An Access login screen should appear.
Error: "G Suite - This account cannot be accessed because the login credentials could not be verified."
If you see this error, it is likely that the public key and private key do not match. Confirm that your certificate file includes the correct public key.
