Skip to main content
日本語 简体中文 繁體中文

[Access Control] Single Sign-On (SSO) Connection Procedure (Google Workspace)

Action summary

This procedure explains how to configure single sign-on (SSO) between Access Control and Google Workspace, so that users log in to Google Workspace via Access Control.

Notes

  1. After completing the steps in this article, login to Google Workspace for the target users will be changed to go through Access Control.
    Please carefully consider the scope of impact and timing before proceeding.
  2. Access Control administrator account information (username and password) is required.
  3. Google Workspace tenant super administrator account information (username and password) is required.
  4. Google Workspace accounts with super administrator privileges are excluded from single sign-on (SSO).
    https://support.google.com/a/answer/6341409?hl=en-us (external link)
  5. Before performing this procedure,be sure to confirm that users with the same email address exist in both Google Workspace and Access Control.
    If email addresses do not match or if the user does not exist in either system, the user will not be able to log in to Google Workspace.
  6. If the system does not behave as expected, you may need to contact Google support.
  7. Even if only some users use HENNGE One products, you must purchase the same number of licenses as your Google Workspace licenses.
    HENNGE One License Policy
  8. The content of this article is based on product specifications as of April 2026 and is subject to change without notice.

Procedure

Create a new organizational unit in Google Workspace

Follow this procedure if you want to enable SSO integration with Access Control for only some users.
If you want to enable SSO integration for all users, proceed to the next step, Configure Access Control connected service.

  1. Create an organizational unit under the parent organization to register the target accounts.
    Add an organizational unit (external link)
  2. Add the accounts you want to target for single sign-on (SSO) to the organizational unit created in step 1.
    Move users to an organizational unit (external link)

Configure Access Control connected service

Follow the steps below.

Preliminary configuration of HENNGE One connected service (external link)
* STEP 6: Obtaining metadata is not required.

Create an SSO profile in Google Workspace

  1. Go to [Google Admin console] > [Security] > [Authentication] > [SSO with third-party IdP].
  2. Under [Third-party SSO profiles], click [Add SAML profile] and configure the following:
    * Use the values obtained in "Configure Access Control connected service".
    • [SSO profile name]: Any name
    • [Auto-fill email address]: Check [Send email address in URL as login_hint parameter]
    • [IdP Entity ID]: Copied IdP Issuer
    • [Login page URL]: Copied single sign-on URL
    • [Logout page URL]: Copied sign-out URL
    • [Change Password URL]: Copied single sign-on URL
    • [Upload certificate]: Obtained SAML signing certificate
  3. After clicking [Save], [Entity ID] and [ACS URL] will be displayed under [SP details].
    You will need to enter these in Access Control, so make a note of them.

Edit Access Control connected service settings

  1. Edit the connected service you created in "Configure Access Control connected service".
  2. Configure access permissions for the connected service you created in "Configure Access Control connected service".
    Refer to the following steps to grant access to the connected service for SSO target users or for the access policy group containing SSO target users.
    Configure access permissions for SP services (external link)
    * The default connected service [Gmail] will not be used. If necessary, uncheck the default [Gmail] connected service from all access policy groups.

Configure SSO settings in Google Workspace

If enabling SSO integration for all users

  1. Go to [Google Admin console] > [Security] > [Authentication] > [SSO with third-party IdP], then click [Manage SSO profile assignments] > [Try it].
    * If [Try it] is not displayed, click [Manage].
  2. Select the top-level organizational unit and, from the [Select SSO profile] dropdown, choose the profile you created in the "Create an SSO profile in Google Workspace" procedure.
  3. Check [After prompting for username in Google, redirect to this profile's IdP login page] and click [Save].

If enabling SSO integration for only some users

  1. Go to [Google Admin console] > [Security] > [Authentication] > [SSO with third-party IdP], then click [Manage SSO profile assignments] > [Try it].
    * If [Try it] is not displayed, click [Manage].
  2. Select the organizational unit you created in "Create a new organizational unit in Google Workspace" and, from the [SSO profile] dropdown, choose the profile you created in the "Create an SSO profile in Google Workspace" procedure.
  3. Check [After prompting for username in Google, redirect to this profile's IdP login page] and click [Save].
  4. Click [Domain-specific service URLs] under [SSO with third-party IdP], select [Require users to enter their username on the Google login page first], then click [Save].
    * If there are organizational units or groups not using SSO, be sure to select this setting.
    If you do not configure this setting, users not using SSO may be automatically redirected to Access Control and unable to log in.

Verify the connection

  • Verification with SSO target users
    Using a user in the SSO-enabled organizational unit, access a Google Workspace service and log in. Confirm that the Access Control authentication screen is displayed.
    * Google Workspace accounts with super administrator privileges are excluded from single sign-on (SSO).
  • Verification with non-SSO users
    Using a user not in the SSO-enabled organizational unit, access a Google Workspace service and log in. Confirm that the Access Control authentication screen is not displayed and login is successful.

Reference