***
title: Google SSO Setup (SAML)
deprecated: false
hidden: false
metadata:
robots: index
-------------
Before you edit your SSO configuration, make sure you are logged into MyMoveworks. Otherwise, you will not be able to log in and update your SSO configuration details.
# **Prerequisites**
**Google:**
* Google Workspace and Admin access
* Sufficient privileges to create SAML application
**Moveworks:**
* Org is initialized and user ingestion is complete
# **Configuration**
## Google:
Navigate to [https://admin.google.com/](https://admin.google.com/u/1/) and login with your **admin** account.
1. Go to **“Home→Apps→Web and mobile apps”**.
2. Click on “Add app” and from the drop down select **“Add custom SAML app”**.
3. On the “App Details” screen, please fill in the following information:
* **App name: Moveworks**
* **Description: Moveworks Control Center**
4. On the next page, click **“Download Metadata”** and also download the **Certificate**. These two data files will need to be provided to your CSE.
1. On the “Service provider details” page, please fill in the following information:
* **ACS URL:** [https://org\_name.moveworks.com/login/sso/saml](https://org_name.moveworks.com/login/sso/saml)
* **Entity ID:[https://www.moveworks.com](https://www.moveworks.com/)**
* **Check “Signed response”**
* **Name ID format:** EMAIL
* **Name ID:** Basic Information > Primary email
2. On the next page under “Attributes”, click **“Add Mapping”** and fill in the following:
* **Google Directory attributes: Basic Information → Primary Email**
* **App attributes: mail**
3. Click **Finish**.
4. Open the “Moveworks” app you just created if it’s not open already and it should look something like this:
Navigate to the **"User access"** page from your app page mentioned above to enable access for necessary users.
1. User access is “OFF for everyone” by default so based on needs of the organization, please set this up accordingly. If everyone can get access, this can be changed to “ON for everyone”. To turn this on for everyone:
* **Click on the down arrow on the top right of the “User access” box:**
* **Select “ON for everyone” under “Service Status”**
* **Click Save**
2. Once your app setup is complete, download the metadata and certificate information, as you were need that in subsequent steps.
## Moveworks:
## Step 1: Google SSO Configuration
1. Under **“Tenant Settings”**, select **“Single Sign-On (SSO)”**.
2. Create a new SSO, by clicking the **“Create”** button.
3. Fill in the information as follows:
* **Moveworks Product: studio**
* **Select Connector: Moveworks**
* **Authentication Protocol:** `SAML`
* **IDP Sign On / SSO URL:[https://accounts.google.com/o/saml2/idp?idpid=XXXXXXX](https://accounts.google.com/o/saml2/idp?idpid=XXXXXXX) (this will be provided to you in the Metadata file from the customer, and can be found near the bottom of the file)**
* **IDP Issuer/Identifier ID:[https://www.moveworks.com](https://www.moveworks.com)**
* **IDP Public Certificate: Upload the .pem file that is provided, this value should match the X509 value in the Metadata file as well. So if you only have the Metadata file, you can create your own .pem file by extracting the X509 value and wrapping it in:**
```yaml
------BEGIN CERTIFICATE-----
------END CERTIFICATE-------
```
* **User attribute: mail**
* **Identifier Type: EMAIL\_ADDR**
4. Click **Submit**
## Validation
Next following the steps below to verify access is working.
1. Open an Incognito page from your browser (this is to prevent cached values from loading incorrectly).
2. Go to https\://**org\_name**.moveworks.com (org\_name being the value from the ACS URL).
3. Log in with your Google account when prompted.
4. On successful login, the Moveworks Control Center should appear.