Google SAML SSO configuration

Google SAML SSO configuration is available as part of the Beamo Plan(s) Enterprise.
Learn how to get more out of Beamo with Plans and Packs.


This article details the necessary steps for using Beamo's SAML SSO with Google as the Identity Provider.

Who can use this feature?

  Super Admin Site Manager Team Admin Surveyor Collab-
Setup SAML SSO check_mark_32.png minus_32.png minus_32.png minus_32.png minus_32.png minus_32.png

Setting up SAML SSO

Open SSO in Beamo

The SSO configuration is located in the Settings of Beamo.

  • Beamo → Settings → Security

Click “Enable SAML SSO” to start the process.


Create a SAML app in Google

Note: Providers’ configuration instructions are outlined here. For more detailed configuration instructions, please contact the respective ID provider.

  1. Open the Google Workspace Admin console and navigate to Apps → Web and mobile.
  2. Select Add App → Add custom SAML app.
  3. Give the application a Display name, e.g. Beamo on the App details screen and click Continue.
  4. The screen Google Identity Provider Details opens.
    This information is required at a later step. Take note of and click Continue:
    1. SSO URL
    2. Entity ID
    3. Certificate
  5. The next screen Service Provider Details opens.
    Manually configure the fields.
Field Description


Set this field to the pre-generated Assertion Consumer Service (ACS) URL retrieved from the Beamo SSO configuration screen.

Entity ID

Set this field to the pre-generated SP Entity ID retrieved from the Beamo SSO Configuration screen.

Start URL

(Optional) Set this field to the login URL from which users will access Beamo.

Signed response

Check this box if you want the Workspace to sign SAML responses. If not checked, the Workspace will sign only the SAML assertion.

Name ID

The default Name ID is the primary email.

Attribute mapping

Select Add Mapping and create the following mapping if not already existing:

Google Directory Attribute App attribute

Primary email


Turn on the app

Go to the section User Access on the SAML app and set it to ON for everyone or for specific groups.

Continue on to Beamo

The Google Workspace Admin-specific configurations are done. Continue on to Beamo to finish the configuration.

  • Service Provider Configuration defines the format of SAML requests.

  • Identity Provider Configuration defines the format to expect for SAML responses.

Service Provider Configuration

Configure the following fields according to the choices selected in the Google Workspace Admin console during setup:

Field Description

Want Assertions Signed

Condition where Beamo expects SAML assertions to be signed. By default, SAML Apps will sign SAML assertions, so you may check this box.

Validate Certificates

Check this box when using trusted and valid certificates from your IdP through a trusted CA.

Identity Provider details

Identity Provider Configuration will often require you to refer back to the Google Workspace Admin console to retrieve application values:

Field Description

Entity ID

Enter the Entity ID retrieved from the Google Identity Provider details section.

Single Sign On Service URL

Set this field to Google Workspace's SSO URL retrieved from the Google Identity Provider details section.

Single Log Out URL

Login with SSO currently does not support SLO. This option is planned for future development, but you may pre-configure it if you wish.

X509 Public Certificate

Paste the retrieved Certificate, removing -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----.

Extra spaces, carriage returns, and other extraneous characters will cause certification validation to fail.

Allowed domains

Specify the email domains which are allowed to authenticate with SAML SSO. Add one domain per field. If the users log in with, the domain to be entered is


Test & Save

After the tests are successful, [Save] the configuration, and SSO will be enabled.


Was this article helpful?
0 out of 0 found this helpful