Configure Google Workspace for UserLock SSO

Secure Google Workspace logins with UserLock Single Sign-On (SSO) to enforce corporate authentication policies while simplifying access for users.

Published September 26, 2025
Useful resources

Introduction

This guide explains how to integrate Google Workspace with UserLock Single Sign-On (SSO) using the SAML 2.0 protocol.

Once configured, Google Workspace logins are authenticated by UserLock against Active Directory. This provides a seamless sign-in experience and allows administrators to enforce UserLock access policies (MFA, time, machine, or location restrictions) to SSO sessions.

🚩️ Before starting:

  • You need a Google Workspace account with super-administrator rights.

  • UserLock SSO must already be installed and configured.

Step 1. Configure Google Workspace for Single Sign-On

  1. Log into the Google Admin console at https://admin.google.com.

  2. Go to Security â–¸ Authentication â–¸ SSO with third party IdP.

Option A. Apply SSO globally

  1. In Third-party SSO for your organization, check Set up SSO with third-party identity provider.

  2. Fill the fields with your UserLock SSO values:

    Settings

    Values

    Sign-in page URL

    https://sso.<yourdomain>.com/saml/sso

    Sign-out page URL

    https://sso.<yourdomain>.com/connect/endsession

    Verification certificate

    1. Go to UserLock console▸undefined️ Server Settings▸ Single Sign-On

    2. Click on Download â–¸ SAML certificate.

    3. Open it in a text editor, and paste the contents here

  3. (Recommended) Enable Use a domain-specific issuer.

Option B. Apply SSO by OU or Group

  1. In Third-party profiles, click ADD SAML PROFILE.

  2. Define the Entity ID, Sign-in page URL, Sign-out page URL, and upload the UserLock certificate.

  3. Save the profile.

Assign the SSO profile

  1. Go to Manage SSO profile assignments.

  2. Choose the desired option:

    • Organization's third-party SSO profile (global application).

    • Another SSO profile (OU- or Group-based).

    • None (SSO disabled, users sign in with Google credentials).

Step 2. Activate Google Workspace in UserLock

In the UserLock console, go to ⚙️ Server settings ▸ Single Sign-On.

If applied globally

  1. Click on the Google row.

  2. Fill the fields:

    Settings

    Values

    Email Domain

    Domain used for Google Workspace logins.

    Émetteur

    Your Google Workspace instance domain (e.g. google.com/a/sso.mydomain).

    ACS URL

    e.g. https://google.com/a/sso.mydomain/acs.

If applied to OU/Group profiles

  1. From the Google Admin console, copy the Entity ID and ACS URL from the SP details of the chosen SSO profile.

  2. Paste them into UserLock.

Troubleshooting

For common issues, see Troubleshooting SSO.
If the problem persists, please contact IS Decisions Support.

Handling SSO unavailability

SSO can be disabled in emergencies. Super-administrators can always log in with their full Google admin email address and password.

To disable SSO in Google Workspace:

  1. Log into the Google Admin console at https://admin.google.com.

  2. Go to Security â–¸ Authentication â–¸ SSO with third party IdP.

  3. In Manage SSO profile assignments, select None.

    • Users will then sign in with their regular Google credentials.

Next steps

You can extend the security of SSO sessions by applying UserLock access policies in addition to authentication.