Setting up Google Workspace SSO

Availability: Enterprise Edition for users with Owner permissions

Google Workspace is one of the SAML integrations supported in the Enterprise Edition of Faros. This guide contains the setup steps for integrating Google Workspace with Faros in a SaaS deployment. This can include assigning Faros user roles through Google Workspace organizational units or groups.


Authentication: If your company email is hosted by Google (Gmail), you can always use Google's OAuth to log into Faros. This requires no additional set up and is available for all Faros editions.

Authorization: Enterprise customers can manage Faros users via Google Workspace by following the instructions in this document.


  1. Setup a new custom SAML application in Google Workspace Admin panel (official guide). Name it Faros and use our logo (below).

Custom SAML application

Faros Logo

Faros Logo

  1. Create a valid certificate and download the metadata xml file

  1. In a separate browser window log in to Faros and then click on the profile icon in the top right corner of the window. Choose Workspace Settings option from the drop down menu, then click the SSO option under Workspace (available to users with Faros Owner role only).

  1. Select Add New and fill out form as follows:

    • Choose SAML for connection type
    • Note the ACS URL and Entity ID values. You will enter these in Google Workspace.
  2. Click Automatic and upload the metadata xml file you downloaded from Google Workspace, or fill in the information manually:

    • Enter the SSO endpoint from Google Workspace used for authenticating
    • Provide the public certificate found in Google Workspace.

Automatic Metadata upload

  1. Back in Google Workspace, enter the ACS URL and Entity ID. Make sure to leave the Start URL blank. Set Name ID type as Email and use Primary Email for the value.
  1. (Optional) Setup Organizational unit path as groups mapping. This would allow you to define a specific Faros role for each part of your organization. You can also add First name as firstName and Last name lastName attributes respectively.


Alternatively, if you plan on using Google Workspace groups for Faros roles be sure to select the necessary Google groups and use groups as a App attribute name.

  1. Back in Faros, click Proceed and enter the domain of your emails. These will be the emails that can login to Faros via Google Workspace. Once you hit proceed you will be provided a TXT record. Add this to your DNS.

  1. Enter your default SSO roles. More information on roles here. Default SSO roles are given to all users added to your Faros app in Google Workspace, unless other roles are specified in the Roles Groups Mapping section (and you have groups attribute configured in Google Workspace SAML). Usually, you will want to put User as default role here; if you want your base user have Analyst capabilities, put both User and Analyst.


Setting up roles

Important: All roles must include the User role to get baseline functionality. For example an analyst should get both the User and Analyst roles.