Single Sign-On with Google

Step 1: Set the Base URL

In the Platform sidebar, click on your user, then click Organization settings. Switch to the Single sign-on tab.
In the Base URL field, enter the HTTPS URL for your platform installation and click Submit. This will generally match the value in your browser. It should be the domain or subdomain you host CloudQuery platform on, like https://cloudquery.example.com:

Setting the base URL in the CloudQuery admin panel

Step 2: Create a SAML app in Google Admin

In a new tab, open https://admin.google.com/
Click Apps → Web and mobile apps → Add app → Add custom SAML app

Creating a SAML app in Google Admin

Step 3: Complete App Details

In the App Name field, enter a name to identify your application with. CloudQuery is a good choice in most cases.
(Optional) Enter a description
(Optional) Provide an App icon for your users. You can use this icon: (Right-click on the image → Save Image As… → Save to your drive. Then upload it in the Google interface.)
Click Continue

Google CloudQuery app details

Step 4: Download & Upload Metadata

On the next page, click Download Metadata:

Google Admin SAML app setup page with the Download Metadata button highlighted

This will download a GoogleIDPMetadata.xml file onto your drive. Click Continue.

Upload the XML metadata file in the CloudQuery admin panel by clicking Upload metadata file:

CloudQuery Platform SSO admin panel with the Upload metadata file button for importing Google IdP metadata

Step 5: Enter ACS URL and Entity ID

Back in the Google Admin interface, enter the value for ACS URL and Entity ID. These values can be copy-pasted from the CloudQuery Platform Admin page:

Copying ACS URL and Entity ID

Copy these values into the highlighted fields:

Entering ACS URL and Entity ID

When done, click Continue on the Google page.

Step 6: Set Attribute Mappings

Next, enter some basic attribute mapping information:

First name → first_name
Last name → last_name
Primary email → email

Setting attribute mappings

Step 7: Configure Group Membership

On the same screen, configure group membership so that CloudQuery Platform can assign roles based on your Google Workspace groups.

In the Group membership section of the Google SAML app, add the groups you want to map to CloudQuery Platform roles. Set the App attribute to the name you want to use as the group claim (e.g., groups).

Setting group membership

In the CloudQuery Platform SSO settings, set the Group attribute field to the same value as the App attribute you configured in Google (e.g., groups).

Setting the group attribute in CloudQuery Platform

Click Continue in the Google UI.

You can map multiple groups to different roles in CloudQuery Platform. For the full configuration, including default roles for users not in any group and multiple group-to-role mappings, see Map Groups to User Roles.

The Group attribute value in CloudQuery must exactly match the App attribute value in Google. This is case-sensitive.

Step 8: Enable User Access

Now, click on the User access section.

The entire User access block is clickable

Google Admin SAML app overview page with the User access section to click for enabling access

Select ON for everyone. Then click SAVE.

Google Admin User access settings with ON for everyone selected to enable SSO for all organization users

Though not covered in this guide, you can also specify which users in your organization should have access by only turning it on for certain groups.

Step 9: Save and Test

Click Save and enable on the CloudQuery admin page:

Saving and enabling user access

On the Google Admin page, click TEST SAML LOGIN.

Google Admin SAML app page with the TEST SAML LOGIN button to verify the SSO configuration

If everything is set up correctly, you should now be logged into CloudQuery Platform with your Google account.

Next Steps

Map Groups to Roles - Map Google groups to platform roles
Certificate Rollover - Manage certificate updates
User Management - Manage users and roles