Skip to main content
This guide walks workspace owners through connecting Google Workspace as a SAML identity provider for Retrac. SAML SSO is available on Enterprise plans.
Test in a staging Google app before enforcing SSO on production users. Keep at least one break-glass owner account with a non-SSO recovery path.

Prerequisites

  • Google Workspace admin access
  • Retrac workspace owner role
  • Enterprise plan with SAML enabled

Set up Google Workspace SAML

1

Open Retrac Security settings

In Retrac, go to Settings → Security and click to configure SAML Single Sign-On. Select Google Workspace as your identity provider.
2

Create a SAML app in Google Admin

In the Google Admin console, go to Apps → Web and mobile apps → Add app → Add custom SAML app.Name the app Retrac and continue through the setup wizard.
3

Copy Retrac ACS URL and Entity ID

From the Retrac SAML setup modal, copy:
  • ACS URL (Assertion Consumer Service URL)
  • Entity ID (SP Entity ID / Audience URI)
Paste these into the corresponding fields in the Google SAML app configuration.
4

Copy the metadata URL

Step 4: Copy the metadata URL

In the Google SAML app setup, Google provides an IdP metadata URL (or downloadable metadata XML).
  1. Copy the metadata URL from Google.
  2. In Retrac Settings → Security, paste the metadata URL into the SAML configuration form.
  3. Save the configuration in Retrac.
Retrac uses this metadata to trust Google’s signing certificate and SSO endpoint.
5

Map attributes

In Google, map SAML attributes so Retrac receives:
Google attributeRetrac expects
Primary emailEmail address
First nameGiven name (optional)
Last nameFamily name (optional)
The email attribute must match a user allowed to access Retrac.
6

Assign users and test

In Google Admin, assign the Retrac SAML app to users or groups who should sign in.
  1. Sign out of Retrac.
  2. On the login page, click Sign in with SAML (or use your IdP-initiated flow).
  3. Confirm you land in the correct workspace.
If login fails, verify the ACS URL, Entity ID, and metadata URL match exactly between Google and Retrac.

Remove SAML

Owners can disconnect SAML from Settings → Security. Coordinate with your IT team before removing production SSO. See Security documentation and Google Workspace SCIM for user provisioning.