# Google Workspace ## Overview This guide walks you through configuring SAML-based Single Sign-On (SSO) between Google Workspace and Mailtrap. ## On Google Admin side ### Access the Apps section {% stepper %} {% step %} Go to **Apps** in the **Google Admin console**

{% endstep %} {% step %} Navigate to **Web and mobile apps**

{% endstep %} {% endstepper %} ### Create a custom SAML app {% stepper %} {% step %} Navigate to the **Web and mobile apps** section in Google Admin. {% endstep %} {% step %} Click the **Add app** dropdown button to see available app options. {% endstep %} {% step %} Select **Add custom SAML app** from the dropdown menu.

{% endstep %} {% endstepper %} ### Copy Google identity provider details Google will provide you with the following SAML configuration details. Copy these values to use in Mailtrap: * **SSO URL** * **Entity ID** * **Certificate**

### Configure service provider details Provide the following SAML Provider details to Google from Mailtrap: * **ACS URL** → Assertion Consumer Service URL from Mailtrap * **Entity ID** → Entity ID from Mailtrap

### Verify the application After configuration, your SAML app will appear in the Web and mobile apps list:

### Review the configuration You can review the service provider details and configure attribute mapping:

### Enable the application Turn on the SAML app for your users: {% stepper %} {% step %} Go to the **Service Status** section for your SAML app. {% endstep %} {% step %} Select **ON for everyone** to enable the app for all users, or choose specific organizational units if you want to limit access. {% endstep %} {% step %} Click **Save** to apply the changes and enable the application.

{% endstep %} {% endstepper %} ## Permissions By default, we create users with no permissions. If you want the user to be automatically assigned to Account Admin or Account Viewer role, you need to set up the role mapping. ### Configure role mapping In the following example, we assign the roles depending on the **Type** of employee attribute value. #### Configure attribute mapping in Google {% stepper %} {% step %} Click **SAML attribute mapping**.

{% endstep %} {% step %} Map the **Google Directory attribute** to the **App attribute** * **Google Directory attributes**: Employee Details > Type * **App attributes**: Type

{% endstep %} {% step %} Save your attribute mapping configuration. {% endstep %} {% endstepper %} #### Set employee type in Google Directory In the **Google Directory** user profile, set the **Type of employee** field (e.g., "Admin", "Viewer"):

#### Configure role mapping in Mailtrap In Mailtrap SSO settings, map the **Type** attribute to the appropriate Mailtrap roles (Admin, Viewer)

Your Google Workspace SSO configuration with role mapping is now complete. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.mailtrap.io/account-and-organization/management/sso/google-workspace.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.