Use Keycloak to log into Google Workspace (KeyCloak 25 SAML SSO)

This guide talks about setting your enterprise Keycloak as a way your employee can log into their Google Workspace.

Most of the guides online talk about how to use Google as an identity provider for KeyCloak. The only one I found about using Keycloak as identity provider to Google was outdated and did not work. So I wrote this article.

Keycloak setup

First, create a new SAML application using the following config:

Remember to replace example.com with your Keycloak domain.

Now, Google requires an email mapping. This means, if you have an account in Google Workspace with email [email protected], you will set the email property of that user in Keycloak to be [email protected] and set the below SAML capabilities / Name ID format to email.

The rest of the configuration can stay untouched.

After creating the application, open it, and go to the Keys tab to copy the certificate to a new file called saml_pub_cert.pem

Now, in the file, make sure you include --—BEGIN CERTIFICATE----- in the beginning and --—END CERTIFICATE----- at the end of the line. Like this:

Configuration on Google

Go to your Google admin portal. And go to the Security >
SSO with third-party IDPs.

On the tap, tap to create a profile in the Third-party SSO profile for your organization section:

For the certificate file, upload your saml_pub_crt.pem

Save the changes.

Login

Now, access this URL:

https://your_keycloak_domain.example.com/realms/your_realm/protocol/saml/clients/googleapps?RelayState=true

And you should be able to login.

There might be an issue where after logging in, it shows this page:

While I have not figured how to solve this yet. You are already logged in. You can navigate to google.com or gmail and you will see that you have logged in via Keycloak identity.

Cheers!