From 6f0c765a5e7f07fe31e0ff739240988c056aea47 Mon Sep 17 00:00:00 2001 From: Blue Date: Thu, 4 Jun 2026 21:10:54 +0200 Subject: [PATCH] website/docs: clarify Google Workspace signed response setting (#22812) docs: clarify Google Workspace signed response setting #22811 --- .../sources/social-logins/google/workspace/index.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/website/docs/users-sources/sources/social-logins/google/workspace/index.md b/website/docs/users-sources/sources/social-logins/google/workspace/index.md index d9b6733ad1..72cdebdfcc 100644 --- a/website/docs/users-sources/sources/social-logins/google/workspace/index.md +++ b/website/docs/users-sources/sources/social-logins/google/workspace/index.md @@ -74,6 +74,7 @@ authentik is acting as both a Service Provider (SP) to Google and an Identity Pr - Set **ACS URL** to `https://authentik.company/source/saml//acs/`. - Set **Entity ID** to `https://authentik.company/source/saml//metadata/`. - Set **Start URL** to `https://authentik.company`. + - Enable **Signed response**. - Set **Name ID format** to `EMAIL`. - Set **Name ID** to `Basic Information > Primary Email`. 2. Click **Continue**. @@ -112,8 +113,8 @@ authentik is acting as both a Service Provider (SP) to Google and an Identity Pr - Set **SSO URL** to the SSO URL from Google Workspace. - Set **Issuer** to `https://authentik.company/source/saml//metadata/`. - Set **Verification Certificate** to the Google Workspace certificate you uploaded earlier. - :::warning Disable Verify Assertion Signature - If you do not disable the following option, your integration with Google Workspace will not work. + :::warning Signed response required + These verification settings expect Google Workspace to sign the SAML response. Make sure **Signed response** is enabled in the Google Workspace SAML app. ::: - Disable **Verify Assertion Signature**. - Enable **Verify Response Signature**. @@ -133,6 +134,7 @@ For instructions on embedding the new source within a flow, such as an authoriza - **`403 app_not_configured_for_user`**: Ensure the Entity ID matches between Google Workspace and authentik. The Entity ID must be identical in both configurations. - **`403 app_not_enabled_for_user`**: Enable the application for your organization in the Google Workspace Admin Console under **Apps** > **Web and mobile apps**. +- **`Expected exactly one Signature in the Response element`**: Enable **Signed response** in the Google Workspace Admin Console under **Apps** > **Web and mobile apps** > your SAML app, for example `authentik`. If this option is disabled, Google Workspace signs only the SAML assertion instead of the outer SAML response. ## Resources