Google Workspace (SAML 2.0)
This topic describes how to configure single sign-on (SSO) with Google Workspace using the SAML 2.0 protocol.
In this guide, Zilliz Cloud acts as the Service Provider (SP) and Google Workspace acts as the Identity Provider (IdP). The following digram illustrates the necessary steps in Zilliz Cloud and Google Admin console.
Before you start
-
Your Zilliz Cloud organization has at least one Dedicated (Enterprise) cluster.
-
You must have the Admin role in the Google Admin console.
-
You are the Organization Owner in the Zilliz Cloud organization where SSO is to be configured.
Configuration steps
Step 1: Access SP details in Zilliz Cloud console
As the SP, Zilliz Cloud provides the Entity ID and ACS URL required when setting up your SAML app in Google Admin.
-
Log in to the Zilliz Cloud console and go to the organization for which you want to configure SSO.
-
In the left-side navigation pane, click Settings.
-
On the Settings page, find the Single Sign-On (SSO) section and click Configure.
-
In the dialog box that appears, choose Google Workspace (SAML 2.0) as your IdP and protocol.
-
In the Service Provider Details card, copy your Entity ID and ACS URL. These values will be required in Step 2 when creating a SAML app in Google Admin console.
📘NotesAlternatively, you can copy the SSO URL and Certificate here. In this case, you need to configure IdP details in Manual mode in Step 3.
-
Once that's done, proceed to Step 2.
Step 2: Create a custom SAML app in Google Admin console
In this step, you configure Google Workspace (the IdP) with the SP details obtained from Zilliz Cloud.
-
Log in to the Google Admin console.
-
In the left-side navigation pane, choose Apps > Web and mobile apps. Then choose Add app > Add custom SAML app.
-
Customize the app name (e.g zilliz) and click CONTINUE.
-
On the page that appears, download your IdP metadata from Option 1: Download IdP metadata. This will be required in Step 3 when configuring IdP settings in Zilliz Cloud console. Then, click Continue.
📘NotesAlternatively, get your SSO URL, Entity ID, Certificate from Option 2: Copy the SSO URL, entity ID, and certificate, respectively. These will be required in Zilliz Cloud console if the Manual mode is selected in Step 3.
-
In the Service provider details section, configure:
-
ACS URL: Paste the ACS URL you copied from Zilliz Cloud console in Step 1.
-
Entity ID: Paste the Entity ID you copied from Zilliz Cloud console in Step 1.
Once that's done, click Continue.
-
-
In the Attributes section, configure:
-
Google Directory attributes: Click ADD MAPPING and select Primary email.
-
App attributes: Set the value to email.
-
-
Click Finish.
Step 3: Configure IdP settings in Zilliz Cloud console
In this step, you provide Google Workspace’s IdP details back to Zilliz Cloud to complete the SAML trust relationship.
-
Go back to the Zilliz Cloud console.
-
In the Identity Provider Details card of the Configure Single Sign-On (SSO) dialog box, upload the metadata file you downloaded from Google Admin console in Step 2.
-
Once that's done, click Save.
Post-configuration tasks
Task 1: Assign SAML app to users (Google Admin console)
Before users can access Zilliz Cloud through SSO, turn on your SAML app:
-
On the details page of the newly created app, locate the User access area and click to edit the service status.
-
To turn a service on or off for everyone in your organization, click ON for everyone or OFF for everyone, and then click Save.
-
(Optional) To turn a service on or off for an organizational unit:
-
At the left, select the organizational unit.
-
To change the Service status, select ON or OFF.
-
Choose one:
-
If the Service status is set to Inherited and you want to keep the updated setting, even if the parent setting changes, click Override.
-
If the Service status is set to Overridden, either click Inherit to revert to the same setting as its parent, or click Save to keep the new setting, even if the parent setting changes. Note: Learn more about organizational structure.
-
-
-
(Optional) To turn on a service for a set of users across or within organizational units, select an access group. For details, go to Use groups to customize service access.
-
Ensure that the email addresses your users use to sign in to the SAML app match the email addresses they use to sign in to your Google domain.
Task 2: Invite users to your project
When users log in to Zilliz Cloud via SSO for the first time, they are registered as an Organization Member but have no access to any project by default.
-
The Organization Owner must invite them into the appropriate projects.
-
For step-by-step instructions on how to invite users to a project, refer to Manage Project Users.
After being invited to a project, the Organization Owner can share the Zilliz Cloud login URL with enterprise users so they can sign in through SSO.
If you encounter any issues during the setup or testing process, contact Zilliz support.
FAQ
What role is assigned to users who log in via SSO for the first time?
New users who do not already have a Zilliz Cloud account will be automatically created upon their first SSO login. These users are assigned the Organization Member role by default. You can modify their roles later in the Zilliz Cloud console. For detailed steps, refer to Manage Project Users.
How do users access projects after SSO login?
After logging in via SSO, users will have Organization Member role by default. To access specific projects, an Organization Owner or Project Admin must invite them to projects. For detailed steps, see Manage Project Users.
What happens if a user already has a Zilliz Cloud account before logging in with SSO?
If the user already exists in your Zilliz Cloud organization (based on their email), they will retain their original role and permissions when logging in via SSO. The system matches users by email address and does not overwrite existing accounts.
Can I configure multiple SSO providers for the same organization?
Currently, each Zilliz Cloud organization supports only one active SAML SSO configuration at a time.