205hlab-mirrors/authentik
2
0
Fork 0
mirror of https://github.com/goauthentik/authentik.git synced 2026-06-17 19:09:11 +03:00
Code Issues Packages Projects Releases Wiki Activity

website/docs: clarify Google Workspace signed response setting (#22812)

Browse Source 
docs: clarify Google Workspace signed response setting #22811
This commit is contained in:
Blue
2026-06-04 21:10:54 +02:00
committed by GitHub
parent 93f19fcfd3
commit 6f0c765a5e
1 changed files with 4 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
website/docs/users-sources/sources/social-logins/google/workspace/index.md
+4 -2
View File
@@ -74,6 +74,7 @@ authentik is acting as both a Service Provider (SP) to Google and an Identity Pr
- Set **ACS URL** to `https://authentik.company/source/saml/<google-slug>/acs/`.
- Set **Entity ID** to `https://authentik.company/source/saml/<google-slug>/metadata/`.
- Set **Start URL** to `https://authentik.company`.
- Enable **Signed response**.
- Set **Name ID format** to `EMAIL`.
- Set **Name ID** to `Basic Information > Primary Email`.
2. Click **Continue**.
@@ -112,8 +113,8 @@ authentik is acting as both a Service Provider (SP) to Google and an Identity Pr
- Set **SSO URL** to the SSO URL from Google Workspace.
- Set **Issuer** to `https://authentik.company/source/saml/<google-slug>/metadata/`.
- Set **Verification Certificate** to the Google Workspace certificate you uploaded earlier.
:::warning Disable Verify Assertion Signature
If you do not disable the following option, your integration with Google Workspace will not work.
:::warning Signed response required
These verification settings expect Google Workspace to sign the SAML response. Make sure **Signed response** is enabled in the Google Workspace SAML app.
:::
- Disable **Verify Assertion Signature**.
- Enable **Verify Response Signature**.
@@ -133,6 +134,7 @@ For instructions on embedding the new source within a flow, such as an authoriza
- **`403 app_not_configured_for_user`**: Ensure the Entity ID matches between Google Workspace and authentik. The Entity ID must be identical in both configurations.
- **`403 app_not_enabled_for_user`**: Enable the application for your organization in the Google Workspace Admin Console under **Apps** > **Web and mobile apps**.
- **`Expected exactly one Signature in the Response element`**: Enable **Signed response** in the Google Workspace Admin Console under **Apps** > **Web and mobile apps** > your SAML app, for example `authentik`. If this option is disabled, Google Workspace signs only the SAML assertion instead of the outer SAML response.
## Resources