# Use Google as your Identity Provider

## Overview

After enabling Onum as a service provider, you can set up Google as an identity provider for SAML. You need to create a SAML app in your Google Admin Console in order to register your **Callback URL** so Google can send SAML responses to the right place.

## Set up your custom SAML app

{% hint style="warning" %}
To activate Google as an identity provider for SAML authorization, you need a Google administrator account.
{% endhint %}

{% stepper %}
{% step %}
Log in to your [Google Admin Console](https://admin.google.com/ac/accountchooser?continue=https://admin.google.com/?utm_source%3Dchatgpt.com). In the left menu, go to **Apps > Web and mobile apps**.
{% endstep %}

{% step %}
Click **Add App > Add custom SAML app**. Enter a name for the app (e.g., *MyApp SAML SSO*) and optionally, upload an app icon. Click **Continue**.
{% endstep %}

{% step %}
On the **Google Identity Provider details** page, you'll see the setup information you’ll need to enter in Onum:

* **SSO URL** 
* **Entity ID**
* **Certificate**

Copy/download all of them and click **Continue**.
{% endstep %}

{% step %}
Now access Onum and go to the **Authentication** area in your Admin menu. Once there, click the **Configure Single-Sign-On** button and select **SAML** in the **Authentication method** field. Enter the following in the fields that appear:

<table><thead><tr><th width="169.69140625">Parameter</th><th>Description</th><th data-hidden></th></tr></thead><tbody><tr><td><strong>IdP Entity ID</strong></td><td>Enter the <strong>Entity ID</strong> you copied in your Google Admin Console.</td><td></td></tr><tr><td><strong>Single Sign-On URL</strong></td><td>Enter the <strong>SSO URL</strong> you copied in your Google Admin Console.</td><td></td></tr><tr><td><strong>Certificates</strong></td><td>Paste here the <strong>Certificate</strong> you downloaded in your Google Admin Console.</td><td></td></tr></tbody></table>

Now click **Save**. You'll be given a **Callback URL**.
{% endstep %}

{% step %}
Go back to your Google Admin Console. In the **Service Provider Details** window, enter the following:
{% endstep %}

{% step %}

<table><thead><tr><th width="169.69140625">Parameter</th><th>Description</th><th data-hidden></th></tr></thead><tbody><tr><td><strong>ACS URL</strong><mark style="color:red;"><strong>*</strong></mark></td><td>Enter the <strong>Callback URL</strong> you got in Onum. This is the endpoint in your app that receives SAML responses.</td><td></td></tr><tr><td><strong>Entity ID</strong><mark style="color:red;"><strong>*</strong></mark></td><td>The unique identifier for your app. Enter the same <strong>Callback URL</strong> here.</td><td></td></tr><tr><td><strong>Start URL</strong></td><td>Optionally, you can set a URL to redirect to after authentication.</td><td></td></tr><tr><td><strong>Signed response</strong></td><td>Check this option to indicate that your service provider requires the entire SAML authentication response to be signed. If this is unchecked (the default option), only the assertion within the response is signed.</td><td></td></tr><tr><td><strong>Name ID format/value</strong></td><td>Optionally, set a <strong>Name ID format</strong> and <strong>Name ID value</strong> for your custom SAML app. The default Name ID is the primary email.</td><td></td></tr></tbody></table>

Click **Continue**.
{% endstep %}

{% step %}
If needed, click **Add mapping** to map user attributes based on the service provider’s requirements, or enter group names that are relevant for this app.
{% endstep %}

{% step %}
Click **Finish** when done.
{% endstep %}
{% endstepper %}

## Turn on your SAML app

By default, the new SAML app is **OFF** for everyone. To activate it:

{% stepper %}
{% step %}
Log in to your [Google Admin Console](https://admin.google.com/ac/accountchooser?continue=https://admin.google.com/?utm_source%3Dchatgpt.com). In the left menu, go to **Apps > Web and mobile apps**.
{% endstep %}

{% step %}
Select your SAML app and click **User access**.
{% endstep %}

{% step %}
To turn a service on or off for everyone in your organization, click **On for everyone** or **Off for everyone**, and then click **Save**.
{% endstep %}
{% endstepper %}

{% hint style="warning" %}
Changes can take up to 24 hours, but typically happen more quickly.
{% endhint %}

Done! Google is now your identity provider for Onum.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.onum.com/administration/global-settings/tenant/authentication/single-sign-on-sso-with-saml/use-google-as-your-identity-provider.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.