> ## Documentation Index
> Fetch the complete documentation index at: https://docs.plerion.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Google single sign-on

> Set up Google Workspace single sign-on (SSO) with Plerion using SAML and group-based role mapping

With **Google single sign-on (SSO)**, you can enable secure authentication to Plerion through Google Workspace. This setup uses SAML and Google Groups to map users and roles to Plerion roles.

<Note>
  You need **super administrator** access in Google Workspace and **Organization Admin** permissions in Plerion.
</Note>

***

## Steps to configure Google SSO

<Steps>
  <Step title="Log in to Google Admin console">
    Sign in to [admin.google.com](https://admin.google.com) with a super administrator account.
  </Step>

  <Step title="Create a custom SAML app">
    * Go to **Menu** > **Apps** > **Web and mobile apps**.
    * Click `Add app` > `Add custom SAML app`.
    * Enter a name (e.g., "Plerion") and click `Continue`.

    See Google's [Set up your own custom SAML app](https://support.google.com/a/answer/6087519) for details.
  </Step>

  <Step title="Download Google IdP metadata">
    On the **Google Identity Provider details** page, copy the **SSO URL** and **Entity ID**, and download the **Certificate**. Click `Continue`.
  </Step>

  <Step title="Configure the service provider details">
    * In Plerion, go to `Admin` > `Single sign-on` and copy the **SSO URL**.
    * In Google, paste the URL as both **ACS URL** and **Entity ID**.
    * Click `Continue`.
  </Step>

  <Step title="Map attributes">
    On the **Attribute mapping** page, add the following mapping:

    * **Primary email** → `email`
  </Step>

  <Step title="Configure group membership for role mapping">
    * Under **Group membership**, click `Search for a group` and add the Google Groups that correspond to your Plerion roles.
    * In the **App attribute** field, enter the attribute name Plerion expects for role mapping (e.g., `role`).
    * Click `Finish`.
  </Step>

  <Step title="Enable the app for your users">
    * On the app details page, click `User access`.
    * Set the service status to **ON for everyone** and click `Save`.
  </Step>

  <Step title="Configure trust in Plerion">
    * In Plerion, go to `Admin` > `Single sign-on` > `Edit` > `Trust`.
      * Paste **SSO URL** into **Single Sign-On URL**
      * Paste **Entity ID** into **Identity Provider Entity ID**
      * Paste the contents of the **Certificate** file into **x.509 Certificate**
    * Click `Configure` to save.
  </Step>

  <Step title="Map attributes and roles">
    * In `Attribute mapping`:
      * For **Email**, select **Use SAML Name ID**.
      * For **Roles**, set the SAML attribute to the group membership attribute from Google (e.g., `role`).
    * Map each Google Group to the corresponding Plerion role.
  </Step>

  <Step title="Test your Google SSO connection">
    * Open a new browser session and sign in with a Google account that has access to the Plerion SAML app.
    * Verify that you can log in to Plerion using Google SSO.
  </Step>
</Steps>