Skip to main content
Google Workspace SSO is SAML-only for third-party apps — Google’s OIDC implementation is tied to their Workspace sign-in surface rather than an arbitrary relying party. Use SAML 2.0. Before you start, grab your SAML ACS URL and SAML Entity ID from the Endpoints for your IdP card on the Quippy admin portal.

1. In Google Workspace

  1. Open the Google Admin console.
  2. Apps → Web and mobile apps → Add app → Add custom SAML app.
  3. Name the app “Quippy”. Upload a logo if you like. Continue.
  4. Google Identity Provider details — click Download metadata (you’ll paste this XML into Quippy) or copy the three fields individually:
    • SSO URL
    • Entity ID
    • Certificate (download the PEM)
  5. Service provider details:
    • ACS URL — the SAML ACS URL from Quippy.
    • Entity ID — the SAML Entity ID from Quippy.
    • Name ID formatEMAIL.
    • Name IDBasic Information > Primary email.
  6. Attribute mapping — optional, but add any group attributes you plan to map to roles (see Group → role mapping in the Quippy SSO page).
  7. Turn the app ON for everyone (or for the relevant OUs).
Google Admin console — Add custom SAML app → Service provider details.

2. In Quippy

In the admin portal’s SSO page, pick SAML 2.0, then paste:
Quippy fieldValue from Google
IdP Entry PointSSO URL from Google’s IdP details
IdP Entity IDEntity ID from Google’s IdP details
Signing CertificateThe PEM certificate Google let you download
Signature AlgorithmSHA-256
Use the mapping above. This is what Google Workspace supports for third-party apps.

3. Test connection

Click Test connection. Quippy fetches the IdP Entry Point and checks the response looks like SAML metadata (contains EntityDescriptor or IDPSSODescriptor). Once green, enable SSO. Keep a backup admin until your first SSO sign-in succeeds.

Common gotchas

Even with SAML configured, users whose Org Unit doesn’t have the app enabled will fail sign-in. Toggle the app ON for the relevant OUs.
Name ID should be EMAILBasic Information > Primary email. If it’s set to something like “Unique ID”, user provisioning in Quippy can fail because we match on email.
Copy the certificate as plain text, PEM-formatted. Editors on Windows sometimes introduce \r\n line endings that break cert parsing.