1. Docs
  2. Administration
  3. Access & Identity
  4. SAML(SSO)
  5. Google Workspace

SAML: Configuring Google Workspace

    This guide walks you through configuring your Google Workspace (formerly known as G Suite) service as a SAML SSO identity provider (IDP) for Pulumi Cloud.

    Creating the SAML application

    1. In the administrator console for your Google Workspace domain, open the flyout menu in the upper-left corner and choose Apps > Web and mobile apps.

      The Google Workspace console

    2. Select Add app > Add custom SAML app to create a new SAML application.

      Create a new SAML app

    3. In the first step, give the SAML app a name (e.g., Pulumi-SSO), and optionally add an App Icon, and select Continue. Pulumi Logos has PNG logos available.

      Step 1: Set up a custom app

    4. Next, choose Option 1: Download Metadata to download an XML document that identifies and describes your Google Workspace domain as a SAML identity provider. You will need this document to complete the process of configuring your Pulumi organization. For now, note the location of the downloaded file, then select Continue to continue.

      Step 2: Download IDP metadata

    5. In step 3, for the required ACS URL and Entity ID and Start URL fields, enter the fully-qualified URLs of the acs and metadata and sso endpoints of the Pulumi API, adjusted for your Pulumi organization name.

      The values you need to use are dependent upon your Pulumi organization name. Be sure to replace acmecorp with your actual organization name.

      SAML SettingValue
      ACS URLhttps://api.pulumi.com/login/<acmecorp>/sso/saml/acs
      Entity IDhttps://api.pulumi.com/login/<acmecorp>/sso/saml/metadata
      Start URLhttps://api.pulumi.com/login/<acmecorp>/sso
      Name ID FormatEMAIL or PERSISTENT

      Step 3: Provide ACS and metadata URLs

      Set Name ID format to EMAIL or PERSISTENT. Leave the other fields as their default values, then select Continue.

      Important: Do not change the value of Name ID Format value once your users have started using Pulumi—not even switching its value between EMAIL or PERSISTENT.

    6. The final step—attribute mapping—is optional, but you may wish to specify proper first and last names for your Pulumi users, based on their Google account profiles. The Pulumi Cloud expects to receive these fields as firstName and lastName, respectively.

      Once you add them, select Finish.

      Step 4: Map optional attributes

    7. On the next screen, enable your newly created SAML application for your Google domain users by selecting the down arrow in the User access panel:

      Enable the SAML application

      Select ON for everyone and Save.

      Enable the SAML application part 2

      At this point, you’re done configuring Google Workspace, and can move on to completing SAML SSO setup in Pulumi Cloud.

    Configuring your Pulumi organization

    1. Sign in to Pulumi Cloud and navigate to your organization.
    2. Select Settings > Access Management.
    3. Select the Other tab.
    4. In the Membership Requirements section, select Change requirements.
    5. Select SAML SSO and then Next.
    6. Paste the full contents of the XML IDP document you downloaded into the text area.
    7. Select Apply changes.

    Your Pulumi organization is now configured to use Google Workspace as a SAML SSO identity provider.

    Signing in to Pulumi with Google Workspace

    Members of your Google Workspace can now sign in to Pulumi. Navigate to https://app.pulumi.com/signin/sso/ and enter the name of your Pulumi organization.

    Troubleshooting

    Google Workspace SAML troubleshooting: SAML app error messages

    For additional help, see the SAML SSO troubleshooting guide or contact support.