Go back to the web Sign In

Google Workspace SSO Setup Guide

This guide walks you through configuring Google Workspace as your Identity Provider (IdP) for CRA Evidence single sign-on.

Prerequisites

  • Google Workspace Super Administrator access
  • CRA Evidence organisation admin access
  • Your company email domain (e.g., company.com)

Step 1: Get CRA Evidence SP Information

Before configuring Google Workspace, gather the Service Provider (SP) information from CRA Evidence:

  1. Log in to CRA Evidence as an organisation admin
  2. Go to Settings > Single Sign-On
  3. Note the following values:
    • Entity ID: https://app.craevidence.com
    • ACS URL: https://app.craevidence.com/api/v1/saml/acs

Step 2: Create Custom SAML App in Google Workspace

  1. Sign in to Google Admin Console (https://admin.google.com)
  2. Go to Menu > Apps > Web and mobile apps
  3. Click Add app > Add custom SAML app

App Details

Field Value
App name CRA Evidence
Description EU Cyber Resilience Act Compliance Platform (optional)
App icon Upload CRA Evidence logo (optional)

Click Continue

Google Identity Provider Details

On this screen, Google provides IdP information. You'll need:

  1. SSO URL - Copy this value
  2. Entity ID - Copy this value
  3. Certificate - Click Download Certificate

Alternative: Click Download Metadata for the full metadata file.

Click Continue

Service Provider Details

Field Value
ACS URL https://app.craevidence.com/api/v1/saml/acs
Entity ID https://app.craevidence.com
Start URL https://app.craevidence.com/login (optional)
Signed response Checked
Name ID format EMAIL
Name ID Basic Information > Primary email

Click Continue

Attribute Mapping

Add the following attribute mappings:

Google Directory attribute App attribute
Primary email email
First name firstName
Last name lastName

Click Finish

Step 3: Configure CRA Evidence

  1. In CRA Evidence, go to Settings > Single Sign-On
  2. Click Add Identity Provider
  3. Fill in the form:
Field Value
Name Google Workspace (or your preferred name)
Vendor Google Workspace
Entity ID The "Entity ID" from Google (Step 2)
SSO URL The "SSO URL" from Google (Step 2)
SLO URL (leave blank - Google doesn't support SLO)
X.509 Certificate Open the downloaded certificate and paste contents

Provisioning Settings:

Field Recommended Value
JIT Provisioning Enabled
Default Role Member
Update on Login Enabled
  1. Click Add Identity Provider

Step 4: Enable the App for Users

  1. In Google Admin Console, go to Apps > Web and mobile apps
  2. Click on CRA Evidence
  3. Click User access
  4. Configure access:
    • ON for everyone: All users in your organisation
    • ON for specific organizational units: Selected OUs only
    • OFF: Disabled (default)
  5. Click Save

Note: Changes may take up to 24 hours to propagate to all users.

Step 5: Add SSO Domain in CRA Evidence

  1. In CRA Evidence SSO settings, go to Domains
  2. Click Add Domain
  3. Enter your Google Workspace domain (e.g., company.com)
  4. Select the Google Workspace IdP you just created
  5. Click Add Domain

Verify Domain Ownership

  1. Add a DNS TXT record:
    • Host: _craevidence-verification
    • Value: (the token shown in CRA Evidence)
  2. Wait for DNS propagation (up to 48 hours)
  3. Click Verify Now in CRA Evidence

Step 6: Test SSO

  1. Open a new incognito/private browser window
  2. Go to https://app.craevidence.com/login
  3. Enter an email address from your Google Workspace domain
  4. You should be redirected to Google sign-in
  5. Authenticate with your Google credentials
  6. You should be redirected back to CRA Evidence, logged in

Test from Google Workspace

  1. Sign in to Google
  2. Go to Google App Launcher (9-dot menu)
  3. Scroll down or search for CRA Evidence
  4. Click to launch (IdP-initiated SSO)

Optional: Enable SSO Enforcement

Once testing is successful, you can require SSO for all users:

  1. Go to Settings > Single Sign-On > Enforcement
  2. Enable Require SSO for all users
  3. Optionally enable Allow admins to bypass SSO
  4. Click Save Settings

Troubleshooting

"App is not configured for this user"

  • Ensure the app is turned ON for the user's organizational unit
  • Wait up to 24 hours for changes to propagate
  • Verify the user is in an OU where the app is enabled

"Invalid SAML Response"

  • Verify the ACS URL matches exactly: https://app.craevidence.com/api/v1/saml/acs
  • Check that "Signed response" is enabled
  • Ensure Name ID format is set to EMAIL

User Not Being Created

  • Confirm JIT Provisioning is enabled in CRA Evidence
  • Verify attribute mappings include email
  • Check that the user has a valid primary email in Google

Certificate Issues

  • Download a fresh certificate from Google Admin
  • Ensure you're copying the entire certificate including BEGIN/END lines
  • Google certificates typically expire after several years

"Access Denied" in Google

  • The user may not be in an organizational unit where the app is enabled
  • Super Admins may have different access rules
  • Check the app's user access settings

Advanced Configuration

Organizational Unit-Based Access

To restrict access to specific groups:

  1. Create an organizational unit for CRA Evidence users
  2. In User access settings, select ON only for that OU
  3. Move users to that OU to grant access

Multiple Domains

If your Google Workspace has multiple domains:

  1. Each domain needs to be added separately in CRA Evidence
  2. All domains can point to the same Google Workspace IdP
  3. Verify each domain separately

Custom Attributes

Google Workspace supports custom attributes for additional user data:

  1. Define custom attributes in Directory > Users > More options > Manage custom attributes
  2. Add mappings in the SAML app configuration
  3. Use custom attribute names in CRA Evidence attribute mapping

Limitations

Google Workspace SAML has some limitations:

  • No Single Logout (SLO): Google doesn't support SAML SLO
  • No Group Claims: Google doesn't send group membership in SAML
  • 24-hour Propagation: App enablement changes can take up to 24 hours

Security Recommendations

  1. Use Organizational Units to control access
  2. Enable 2-Step Verification in Google Workspace
  3. Review Sign-in Activity in Admin Console
  4. Set Session Length policies in Google Security settings
  5. Use Context-Aware Access for additional security

Support

If you encounter issues:

  1. Check the SAML SSO Architecture documentation
  2. Review Google Admin Console logs under Reports > Audit > SAML
  3. Contact CRA Evidence support at support@craevidence.com
  4. Provide:
    • Error message
    • Screenshot of Google SAML app configuration
    • CRA Evidence IdP configuration (without certificate)
Last updated February 27, 2026
Was this page helpful?
Thanks for your feedback!

Help us improve. What was missing or unclear?