Configure SAML 2.0 for Google

Supported Features

  • Identity Provider Initiated Login
  • Just in time user provisioning

Configuration Steps

  1. Sign in to Tiled as an Account Admin
  2. Navigate to Account Settings.
  3. Under General Settings, scroll down to the Auto Provisioning 
  4. Select a required Default Role and Default Group for new users
    • NOTE: Users who are Just in time Provisioned into the Tiled account will receive the role and group specified in this step.
  5. Check the Enable Auto Provisioning box:

  6. Scroll down to the Saml Settings section.
  7.  Input and org domain
    • NOTE: The value that is input into this field will be used to generate our service provider metadata link as well as our service provider erentityID.
  8. Click Update Settings
  9. To build your Identity Provider Metadata XML use the above org domain and insert it into the below URL structure:{ORG DOMAIN}/metadata.xml
    • EXAMPLE if I set my Org Domain to "saltydog-admin" my resulting metadata URL would be:
    • NOTE: This URL should now resolve to Tiled's service provider metadata, with this information you will have access to the following items needed to complete your set up in Google.
      • entity ID
      • X509 Certificate
      • Assertion Consumer Service URL

We can now add a new SAML application in Google: 

  1. In your Google Admin console (at
  2. Go to SAML Apps

  3. Click Add + at the bottom right
  4. Click Set up my own custom app.
    The Google IDP Information window opens and the SSO URL and Entity ID fields automatically populate.

  5. Use option 2 to Download the IDP metadata

  6. Provide the application a Name, Description and upload a Logo Available here
  7. Click Next

  8. Copy and the entity ID from the Tiled metadata URL that you created in Step 9 above and paste it in the Identifier (entity ID) field
  9. Copy and the Assertion Consumer Service from the Tiled metadata URL that you created in Step 9 above and paste it in the Reply URL (Assertion Consumer Service URL) field
  10. Check Signed Response
  11. Click Next

  12. Click Add New Mapping

  13. Create mappings to release the following attributes
    Application Attribute Category User Field
    email Basic Information Primary Email
    name Basic Information  First name


  14. Open the Federation Metadata XML saved from Google in Step 5 and Paste it into the Identity Provider Metadata XML section of Tiled
  15. Click Update Settings

The configuration is now complete you can assign users to the application in Google and use their built-in test feature to ensure authenticate 

Common Errors

Response Error Potential Fix
{"type":"TypeError","status":500,"message":"Cannot read property '0' of undefined"}} Ensure the Additional Claims rules from step 19 are properly sending 'email'



Please sign in to leave a comment.