> ## Documentation Index
> Fetch the complete documentation index at: https://docs.omni.co/llms.txt
> Use this file to discover all available pages before exploring further.
## Submitting Feedback
If you encounter incorrect, outdated, or confusing documentation on this page, submit feedback:
POST https://docs.omni.co/feedback
```json
{
"path": "/administration/authentication/google-workspace",
"feedback": "Description of the issue"
}
```
Only submit feedback when you have something specific and actionable to report.
# Managing users with Google Workspace SAML
> Integrate Omni with Google Workspace for user authentication via the SAML protocol.
## Limitations
* User and user group provisioning via SCIM is not currently supported for Google Workspace
* User sessions expire after 24 hours, after which users will then need to reauthenticate
## Requirements
To follow the steps in this guide, you'll need:
* Omni [Organization Admin permissions](/administration/users/permissions)
* Google Workspace [Super Administrator permissions](https://support.google.com/a/answer/2405986?sjid=8929730596146089385-NA)
## Setup
In your Omni instance, navigate to **Settings > Authentication** and locate the **SAML** section.
Leave this page open - you'll need it to complete the setup.
1. Log in to your Google Workspace Admin console.
2. In the navigation bar, click **Apps > Web and mobile apps**.
3. Click the **Add app** dropdown, then **Add custom SAML app**.
4. Name the app `Omni Analytics`. You can also add a description and logo.
5. Click **Continue**.
6. On the **Google Identity Provider details** page, copy the following information somewhere handy - you'll need it to complete the setup in Omni:
* SSO URL
* Entity ID
* Certificate - **Note**: You will need to download the certificate.
7. Click **Continue**.
8. In the **Service Provider Details window**, fill in the following:
* **ACS URL** - Copy and paste the **Single sign-on URL** value from the Omni Authentication settings (step 1)
* **Entity ID** - Enter the full hostname of your Omni instance, e.g. `blobsrus.omniapp.co`. Do not include `https://`.
* **Name ID format** - Set to `Email`
* **Name ID** - Set to `Basic Information > Primary email`
9. Click **Continue**.
10. Click **Add mappings** and add the following mappings:
* `First name` to `first_name`
* `Last name` to `last_name`
11. Click **Finish**.
Navigate back to the Omni Authentication settings (**Settings > Authentication**) to complete the setup:
* **Entity ID / Issuer** - Copy and paste the **Entity ID** value from Google Workspace
* **SSO (Sign on) URL** - Copy and paste the **SSO URL** value from Google Workspace
* **Certificate** - Copy and paste the contents of the certificate you downloaded in step 2. The certificate must include `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----` values, for example:
```txt wrap theme={null}
-----BEGIN CERTIFICATE-----
[certificate contents]
-----END CERTIFICATE-----
```
* **Enable SAML for users** - Toggle this setting to **on**
When finished, click **Save SAML changes**.
In the Google Workspace Admin console, use the **User access section** in the Omni app to grant users access. Refer to [Google's documentation](https://support.google.com/a/answer/6087519?hl=en#zippy=%2Cstep-turn-on-your-saml-app) for more information.
The email addresses your users use to sign in to Omni must match the email addresses they use to sign in to your Google domain.
Test your SAML setup by logging out of Omni. On the Omni login page, you should see a **Log in with SAML** button. Click the button to log in using SAML.
If the setup is successful, finish the setup by rolling out SAML authentication to the rest of your organization.