Google Workspace SSO Setup
Complete step-by-step guide to configure SAML-based Single Sign-On between Google Workspace and NetSuite.
Overview
GOOGLE WORKSPACE SSO ARCHITECTURE
═══════════════════════════════════════════════════════════════════════════════
┌─────────────────────┐ ┌─────────────────────┐ ┌─────────────────────┐
│ │ │ │ │ │
│ USER │ │ GOOGLE │ │ NETSUITE │
│ │ │ WORKSPACE │ │ │
│ 1. Access NetSuite │ ──────▶ │ │ │ │
│ │ │ 2. Authenticate │ │ │
│ 3. Enter Google │ ──────▶ │ with 2FA │ │ │
│ credentials │ │ │ │ │
│ │ ◀────── │ 4. SAML Assertion │ ──────▶ │ 5. Validate & │
│ │ │ │ │ Grant Access │
│ │ │ │ │ │
└─────────────────────┘ └─────────────────────┘ └─────────────────────┘
Prerequisites
Before You Begin
| Requirement | Details |
|---|---|
| Google Workspace | Business Starter, Standard, Plus, Enterprise, or Education |
| Google Admin Role | Super Admin |
| NetSuite Role | Administrator |
| NetSuite Account ID | Found in Setup > Company > Company Information |
| Matching Emails | User emails must match between Google and NetSuite |
Part 1: NetSuite Configuration
Step 1: Enable SAML SSO Feature
- Log in to NetSuite as Administrator
- Navigate to Setup > Company > Enable Features
- Click SuiteCloud subtab
- Check SAML Single Sign-on
- Click Save
Step 2: Get NetSuite SAML Information
- Navigate to Setup > Integration > SAML Single Sign-on
- Note down the following values:
NETSUITE SAML ENDPOINTS
═══════════════════════════════════════════════════════════════════════════════
Entity ID (Audience):
https://system.netsuite.com/saml2/sp/{YOUR_ACCOUNT_ID}/acs
ACS URL (Reply URL):
https://system.netsuite.com/saml2/sp/{YOUR_ACCOUNT_ID}/acs
Example (if Account ID is 1234567):
Entity ID: https://system.netsuite.com/saml2/sp/1234567/acs
ACS URL: https://system.netsuite.com/saml2/sp/1234567/acs
Part 2: Google Workspace Configuration
Step 3: Access Google Admin Console
- Go to admin.google.com
- Sign in with your Super Admin account
- Navigate to Apps > Web and mobile apps
Step 4: Add SAML Application
- Click Add app dropdown
- Select Add custom SAML app
Step 5: App Details
- Enter App name:
NetSuite - (Optional) Upload app icon
- Click Continue
Step 6: Download Google IdP Information
On the Google Identity Provider details page, you'll see:
GOOGLE IDP INFORMATION
═══════════════════════════════════════════════════════════════════════════════
SSO URL:
https://accounts.google.com/o/saml2/idp?idpid={YOUR_IDP_ID}
Entity ID:
https://accounts.google.com/o/saml2?idpid={YOUR_IDP_ID}
Certificate:
[Download Certificate button]
Important Actions:
- Download the certificate (click Download Certificate)
- Copy the SSO URL
- Copy the Entity ID
- Click Continue
Step 7: Configure Service Provider Details
Enter NetSuite's SAML information:
| Field | Value |
|---|---|
| ACS URL | https://system.netsuite.com/saml2/sp/{ACCOUNT_ID}/acs |
| Entity ID | https://system.netsuite.com/saml2/sp/{ACCOUNT_ID}/acs |
| Start URL | (leave blank or https://system.netsuite.com) |
| Signed Response | Checked |
| Name ID Format | |
| Name ID | Basic Information > Primary email |
Click Continue
Step 8: Configure Attribute Mapping
Map Google user attributes to SAML claims:
| Google Directory Attribute | App Attribute |
|---|---|
| Primary email | |
| First name | firstName |
| Last name | lastName |
ATTRIBUTE MAPPING CONFIGURATION
═══════════════════════════════════════════════════════════════════════════════
Required Mapping:
┌─────────────────────────────────────────────────────────────────────────────┐
│ Google Directory → SAML Attribute │
│ ────────────────────────────────────────────────────── │
│ Primary email → email │
└─────────────────────────────────────────────────────────────────────────────┘
Optional Mappings:
┌─────────────────────────────────────────────────────────────────────────────┐
│ First name → firstName │
│ Last name → lastName │
│ Department → department │
└─────────────────────────────────────────────────────────────────────────────┘
Click Finish
Part 3: Complete NetSuite Configuration
Step 9: Configure IdP in NetSuite
- Return to NetSuite: Setup > Integration > SAML Single Sign-on
- Enter the following:
| Field | Value |
|---|---|
| Identity Provider Name | Google Workspace |
| Identity Provider Issuer | Entity ID from Step 6 |
| Identity Provider Sign-in URL | SSO URL from Step 6 |
| Identity Provider Sign-out URL | (leave blank) |
Step 10: Upload IdP Certificate
- Still on SAML configuration page
- Scroll to Identity Provider Certificate section
- Click Upload Certificate
- Select the certificate file downloaded in Step 6
- Click Upload
Step 11: Configure SAML Settings
| Setting | Recommended Value |
|---|---|
| SAML Single Sign-on | Enabled |
| Require SAML SSO for all logins | Start with "No", enable after testing |
| Name ID Format | Email Address |
| Signature Algorithm | RSA-SHA256 |
Step 12: Save Configuration
- Review all settings
- Click Save
Part 4: Enable and Assign Users
Step 13: Turn On the App in Google
- Return to Google Admin Console
- Go to Apps > Web and mobile apps
- Click on NetSuite
- Click User access
- Choose one of the following:
USER ACCESS OPTIONS
═══════════════════════════════════════════════════════════════════════════════
Option 1: ON for everyone
┌─────────────────────────────────────────────────────────────────────────────┐
│ All users in your organization can access NetSuite via SSO │
│ Use when: All employees need NetSuite access │
└─────────────────────────────────────────────────────────────────────────────┘
Option 2: ON for specific organizational units
┌─────────────────────────────────────────────────────────────────────────────┐
│ Only users in selected OUs can access │
│ Use when: Only certain departments need access │
│ │
│ Steps: │
│ 1. Click on the Organizational Unit on the left │
│ 2. Set Service Status to ON │
│ 3. Repeat for each OU that needs access │
└─────────────────────────────────────────────────────────────────────────────┘
Option 3: ON for specific groups
┌─────────────────────────────────────────────────────────────────────────────┐
│ Only users in selected groups can access │
│ Use when: Access based on role rather than department │
│ │
│ Steps: │
│ 1. Click "Groups" │
│ 2. Select the group │
│ 3. Set Service Status to ON │
└─────────────────────────────────────────────────────────────────────────────┘
- Click Save
Step 14: Verify Users Exist in NetSuite
Ensure each assigned user has a matching NetSuite user:
- In NetSuite, go to Lists > Employees > Employees (or Contacts)
- Verify user exists with matching email address (must match Google email exactly)
- Verify user has Login Access enabled
- Verify user has appropriate Role(s) assigned
Part 5: Testing
Step 15: Test SSO Login
Method 1: IdP-Initiated (from Google)
- Go to myapps.google.com or Google Workspace app launcher
- Find and click NetSuite
- Should redirect and log into NetSuite
Method 2: SP-Initiated (from NetSuite)
- Open an incognito/private browser window
- Go to NetSuite login page
- If SSO is configured, you may be redirected to Google
- Or click Log in with SAML Single Sign-on
- Authenticate with Google credentials
- Should redirect back to NetSuite logged in
Step 16: Verify Login
After successful login, verify:
| Check | How to Verify |
|---|---|
| User identity | Check logged-in user name |
| Roles | Verify correct roles appear |
| Permissions | Test access to expected features |
| Audit trail | Check Setup > Users/Roles > Login Audit Trail |
Part 6: Production Rollout
Step 17: Enable Mandatory SSO (Optional)
Once testing is complete and all users are verified:
- Go to Setup > Integration > SAML Single Sign-on
- Set Require SAML SSO for all logins to Yes
- Click Save
Warning: Only enable after thorough testing. Keep a backup admin account or document the break-glass procedure.
Step 18: Communicate to Users
Notify users of the change:
SSO ROLLOUT COMMUNICATION TEMPLATE
═══════════════════════════════════════════════════════════════════════════════
Subject: NetSuite Login Change - Google Sign-In Enabled
Starting [DATE], NetSuite login will use your Google Workspace credentials.
What's changing:
- You'll log in using your company Google account
- 2-Step Verification (if enabled) will apply
- No separate NetSuite password needed
How to log in:
Option 1: From Google
- Go to your Google app launcher (9-dot icon)
- Click "NetSuite"
Option 2: Direct to NetSuite
- Go to NetSuite URL
- You'll be redirected to Google sign-in
- Enter your Google credentials
Questions? Contact [HELPDESK]
Troubleshooting
Common Errors and Solutions
Error: "User not found"
DIAGNOSIS AND FIX
═══════════════════════════════════════════════════════════════════════════════
Symptom: "SAML user not found in NetSuite"
Cause: Email in SAML assertion doesn't match any NetSuite user
Steps to Fix:
1. Check Google user's email: Admin Console > Users > [User]
2. Check NetSuite user's email: Lists > Employees > [Employee] > Email
3. Ensure they match exactly
4. Verify NetSuite user has Login Access enabled
5. Check that Name ID in Google SAML app is set to "Primary email"
Error: "App not assigned"
DIAGNOSIS AND FIX
═══════════════════════════════════════════════════════════════════════════════
Symptom: "You don't have access to this app"
Cause: User's OU or group doesn't have the app enabled
Steps to Fix:
1. Go to Admin Console > Apps > Web and mobile apps > NetSuite
2. Click "User access"
3. Verify the user's OU or group has the app ON
4. Wait up to 24 hours for changes to propagate (usually faster)
Error: "Invalid signature"
DIAGNOSIS AND FIX
═══════════════════════════════════════════════════════════════════════════════
Symptom: "SAML signature validation failed"
Cause: Certificate mismatch or expired
Steps to Fix:
1. Go to Admin Console > Apps > NetSuite > Download Certificate
2. Re-upload certificate in NetSuite SAML configuration
3. Verify "Signed Response" is checked in Google app settings
Error: "ACS URL mismatch"
DIAGNOSIS AND FIX
═══════════════════════════════════════════════════════════════════════════════
Symptom: "Reply URL does not match configured ACS URL"
Cause: ACS URL in Google doesn't match NetSuite expectation
Steps to Fix:
1. Verify account ID in ACS URL
2. Format: https://system.netsuite.com/saml2/sp/{ACCOUNT_ID}/acs
3. Update in Admin Console > Apps > NetSuite > Service provider details
4. Save and test again
Debug Tools
| Tool | Purpose |
|---|---|
| SAML-tracer (browser extension) | View SAML request/response |
| Google Admin Console > Reports > Audit | Check SSO events |
| NetSuite Login Audit | Check NetSuite login attempts |
Advanced Configuration
2-Step Verification (2FA)
Google's 2-Step Verification applies to SSO:
2-STEP VERIFICATION FLOW
═══════════════════════════════════════════════════════════════════════════════
User accesses NetSuite
│
▼
Redirect to Google
│
▼
Enter Google password
│
▼
2-Step Verification prompt
(if enabled for user)
│
├── Google Authenticator code
├── Security key
├── Google prompt on phone
└── Backup codes
│
▼
SAML assertion to NetSuite
│
▼
Access granted
To enforce 2-Step Verification:
- Admin Console > Security > 2-Step Verification
- Set enforcement policy
Context-Aware Access (Enterprise)
For Google Workspace Enterprise, add additional access controls:
- Go to Security > Access and data control > Context-Aware Access
- Create access levels based on:
- IP address
- Device security status
- Location
- Apply access levels to NetSuite app
Maintenance
Certificate Management
Google certificates are valid for 5 years, but you can rotate them:
- Admin Console > Apps > NetSuite
- Click SAML Settings
- Generate new certificate
- Download new certificate
- Upload to NetSuite
- Test SSO
- Remove old certificate from NetSuite
User Lifecycle
| Event | Action Required |
|---|---|
| New hire | Create NetSuite user, ensure in correct OU/group |
| Termination | Suspend/delete Google account (immediate access revocation) |
| Email change | Update both Google and NetSuite |
| Role change | Update NetSuite roles (Google doesn't control roles) |
Comparison: Google vs Entra ID SSO
| Feature | Google Workspace | Microsoft Entra ID |
|---|---|---|
| Setup complexity | Simple | Moderate |
| Certificate validity | 5 years | 1 year (default) |
| Conditional access | Enterprise only | P1/P2 license |
| Group-based access | Yes | Yes |
| SCIM provisioning | Limited | Full support |
| Audit logging | Yes | Yes |
| MFA | 2-Step Verification | Azure MFA |
Next Steps
- Microsoft Entra ID SSO - Alternative IdP setup
- SSO Overview - Return to SSO overview
- OAuth 2.0 - API authentication