# Using Google ### Setting Up Single Sign-On (SSO) with Google Workspace for emSigner #### Overview emSigner supports **Single Sign-On (SSO) using Google Workspace** to allow users to authenticate using their corporate Google credentials. This enables centralized identity management, improves security, and simplifies access by eliminating separate login credentials for emSigner. *** #### Prerequisites Before configuring Google Workspace SSO for emSigner, ensure the following: * An active **Google Workspace** domain * **Google Workspace Admin** privileges * A verified email domain in Google Workspace that matches emSigner user accounts * SSO enabled for your organization in emSigner by the emSigner support or onboarding team *** #### Supported SSO Protocol emSigner supports **SAML 2.0–based SSO** with Google Workspace. *** #### Configuration Steps **Step 1: Create a SAML App in Google Workspace** 1. Sign in to the **Google Admin Console**. 2. Navigate to **Apps** → **Web and mobile apps**. 3. Click **Add app** → **Add custom SAML app**. 4. Enter an application name (for example, *emSigner SSO*) and proceed. *** **Step 2: Download Google Identity Provider (IdP) Metadata** 1. On the **Google IdP Information** page, download the following: * **IdP Metadata XML**, or * **SSO URL**, **Entity ID**, and **Certificate** 2. Share these details with the emSigner support or onboarding team. *** **Step 3: Configure Service Provider Details** 1. In the **Service Provider Details** section, enter the values provided by emSigner: * **ACS URL (Assertion Consumer Service URL)** * **Entity ID** * **Start URL** (if applicable) > These values are environment-specific and depend on your emSigner data residency zone. *** **Step 4: Configure Attribute Mapping** 1. In **Attribute Mapping**, configure the following: * **Primary email** → `email` 2. Ensure the email attribute sent by Google matches the **primary identifier** configured in emSigner. *** **Step 5: Assign Users or Groups** 1. Enable the SAML app for: * All users, or * Specific organizational units or groups (recommended) 2. Only enabled users will be able to log in to emSigner using Google SSO. *** #### emSigner Configuration Once Google Workspace configuration is complete: * emSigner validates the IdP metadata. * SSO is enabled for your organization and mapped to your domain. * Optional policies such as **mandatory SSO** or **2-Factor Authentication (2FA) enforcement** may be applied based on organizational requirements. *** #### User Login Experience After Google Workspace SSO is enabled: 1. The user enters their **email address** on the emSigner login page. 2. emSigner detects Google SSO configuration for the domain. 3. The user is redirected to the Google login page. 4. Upon successful authentication, the user is logged in to emSigner. *** #### Security & Compliance Notes * emSigner does **not store Google credentials**. * Authentication is performed entirely by Google Workspace. * Google-enforced security policies such as **2-Step Verification**, **context-aware access**, and **device policies** continue to apply. * All authentication events are recorded in emSigner audit logs. *** #### Troubleshooting **User is not redirected to Google login** * Verify that SSO is enabled for the organization in emSigner. * Ensure that the user’s email domain matches the configured Google Workspace domain. **Authentication succeeds but login fails** * Confirm that the email attribute mapping is correct. * Ensure that the user is enabled for the SAML app in Google Workspace. **Access denied** * Check Google Workspace security policies or 2-Step Verification settings. *** #### Need Assistance? For environment-specific URLs, metadata validation, or enabling Google Workspace SSO for your tenant, please contact emSigner Support or raise a support ticket through the Support Portal.