Home‎ > ‎SSO Single Sign-On‎ > ‎

Configuring Google Apps as SP via SAML through OpenAM

Configuring Google Apps as SP via SAML through OpenAM
This guide was written using Debian based ( e.g. Ubuntu ) operating system. In other distributions just change the "apt-get" to their respective package manager tool. This example uses a LDAP directory to connect with SAML platforms through OpenAM authentication.

Please replace every federation.ga with your OpenAM domian, and replace appsedudemo.com with your Google Apps domain


  • Tomcat 7

  • OpenAM.war file

  • openam subdomain created (i.e. openam.openid.ga)

  • LDAP Server


  • Install OpenAM following the Installing OpenAM guide.
  • Log-in to OpenAM web admin:

  • On "Common Tasks" tab click on "Create Hosted Identity Provider"

  • Select a "Signing key"

  • Write a "New Circle of Trust" name
  • Click on "Configure" button
  • Then click on "configura Google Apps" link

  • On "Common Tasks" tab click on "Configure Google Apps"
  • Add your Google Apps domain and click on "Create" button
  • A message will confirm when the action is completed, click OK
  • The respective SSO links and certificate will be generated.
  • Click on "Click here to download" button to download the certificate.
  • On a new browser tab Go to your Google Apps admin panel http://admin.google.com
  • Go to "Security" > "Advanced" > "Set up single sign-on (SSO)"

  • Paste the OpenAM provided links to SSO Google configuration, upload the downloaded certificate and check the "Enable Single Sign-on" and "Use a domain specific issuer" checkboxes and then click on "Save changes" button.
  • Return to OpenAM window, now to need to setup an identity provider, go to "Access Control".
  • Click on "/ (Top Level Realm)"
  • You can setup an identity provider on Authentication tab.
  • OpenAM has a default identity provider that you can use for testing proposes, if you go to "Subject" tab, you can create a new user clicking on "New".
  • The ID field must match with an existing Google Apps user.
  • In order to test please go to http://mail.google.com/a/appsedudemo.com