> ## Documentation Index
> Fetch the complete documentation index at: https://docs.semgrep.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# SAML SSO with Google Workspace

This article describes how to set up SAML Single Sign-on for Semgrep AppSec Platform with Google Workspace, including how to set up the necessary attribute mappings.

<Tabs>
  <Tab title="Guided setup (beta)">
    This article describes how to set up SAML Single Sign-on for Semgrep AppSec Platform with Google Workspace, including how to set up the necessary attribute mappings.

    Ensure that you are an admin for both your Semgrep deployment and your Google Workspace account.

    ## Google Workspace configuration

    <Steps>
      <Step>
        [Set up a custom SAML app](https://support.google.com/a/answer/6087519?hl=en#zippy=%2Cstep-add-the-custom-saml-app) in Google Workspace. The default **Name ID** is the primary email, and this value is optimal for use with Semgrep AppSec Platform.
      </Step>

      <Step>
        When you reach the **Add mapping** step of the instructions to set up a custom SAML app, add the attribute statements that Semgrep AppSec Platform requires:

        | Name      | Value                            |
        | :-------- | :------------------------------- |
        | id        | `user.login` **or** `user.email` |
        | email     | `user.email`                     |
        | firstName | `user.firstName`                 |
        | lastName  | `user.lastName`                  |
      </Step>
    </Steps>

    ## Semgrep configuration

    <Steps>
      <Step>
        Sign in to [<Icon icon="arrow-up-right-from-square" /> Semgrep AppSec Platform](https://semgrep.dev/login).
      </Step>

      <Step>
        Go to **[Settings > Access > Login methods](https://semgrep.dev/orgs/-/settings/access/loginMethods)**.
      </Step>

      <Step>
        In the **Single sign-on (SSO)** section, provide a valid **Email domain**, then click **Initialize**.
      </Step>

      <Step>
        The **Configure Single Sign-On** dialog appears to guide you through the remaining configuration steps. Begin by selecting **Custom SAML**.
      </Step>

      <Step>
        Follow the instructions provided on the subsequent **Configure Single Sign-On** dialog pages to complete this process. When you've completed the required steps, use **Test sign-in** to test the connection.
      </Step>

      <Step>
        Once test sign-in has passed, close the test page. Verify that the **Connection details** shown on the **Connection activated** screen are correct and close the dialog.
      </Step>

      <Step>
        Verify that the **Connection status** is now **active** under the **Single sign-on (SSO)** section in Semgrep AppSec Platform.
      </Step>

      <Step>
        To use the new connection, log out of Semgrep, then log back in using SSO.
      </Step>
    </Steps>
  </Tab>

  <Tab title="Legacy manual configuration">
    Follow these steps:

    <Steps>
      <Step>
        [Set up a custom SAML app](https://support.google.com/a/answer/6087519?hl=en#zippy=%2Cstep-add-the-custom-saml-app) in Google Workspace. The default **Name ID** is the primary email, and this value is optimal for use with Semgrep AppSec Platform.
      </Step>

      <Step>
        When you reach the **Add mapping** step of the instructions to set up a custom SAML app, add the two attribute statements that Semgrep AppSec Platform requires: `name` and `email`.

        * The attribute mapped to `email` should be the primary email.
        * The attribute mapped to `name` should be some form of the user's name. You can use a default attribute like the user's first name, or create a custom attribute for their full name.

        <Frame>
          <img src="https://mintcdn.com/semgrep-ee9d73d8/yMsI1pCt6oL_Pkb9/images/kb/semgrep-appsec-platform/saml-google-workspace/image.png?fit=max&auto=format&n=yMsI1pCt6oL_Pkb9&q=85&s=60fbff113d89cb012158ff39e3e329eb" alt="Attribute mappings" width="2080" height="484" data-path="images/kb/semgrep-appsec-platform/saml-google-workspace/image.png" />
        </Frame>
      </Step>

      <Step>
        Sign in to Semgrep AppSec Platform.
      </Step>

      <Step>
        Navigate to **[Settings > Access > Login methods](https://semgrep.dev/orgs/-/settings/access/loginMethods)**.
      </Step>

      <Step>
        Click **Add SSO configuration** and select **SAML2 SSO**.
      </Step>

      <Step>
        Provide a **Display name** and your **Email domain**.
      </Step>

      <Step>
        Copy the **SSO URL** and **Audience URL (SP Entity ID)**, and provide them to Google Workspace as the **ACS URL** and **Entity ID**, respectively.
      </Step>

      <Step>
        Copy your IDP metadata, including the SSO URL and Entity ID and the x509 certificate, from the custom SAML app in Google Workspace.
      </Step>

      <Step>
        Enter these in Semgrep AppSec Platform as the **IdP SSO URL** and **IdP Issuer ID** values respectively, and upload or paste the X509 Certificate.
      </Step>

      <Step>
        Click **Save** to proceed.
      </Step>
    </Steps>
  </Tab>
</Tabs>
