> ## Documentation Index
> Fetch the complete documentation index at: https://closedloop.sh/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Google Workspace SSO

> Connect Google Workspace to ClosedLoop AI with SAML SSO and just-in-time provisioning.

Connect Google Workspace to ClosedLoop AI so workspace members sign in through your company's Google identity provider.

<Tip>Use the ClosedLoop AI values generated inside your workspace. They are region-aware and include the correct workspace entity ID.</Tip>

## What Google Workspace Manages

| Capability                | Description                                                               |
| ------------------------- | ------------------------------------------------------------------------- |
| SAML SSO                  | Members sign in to ClosedLoop AI through Google Workspace.                |
| Just-in-time provisioning | ClosedLoop AI can create a Member account after Google verifies the user. |
| Admin-managed access      | Google admins control who can use the ClosedLoop AI SAML app.             |

## Prerequisites

* A Google Workspace admin account with permission to create custom SAML apps.
* A ClosedLoop AI workspace admin account.
* Your ClosedLoop AI workspace ID. ClosedLoop AI shows this value during setup.

## Setup Guide

<AccordionGroup>
  <Accordion icon="key-round" title="Step 1: Open Google Workspace setup in ClosedLoop AI">
    1. Sign in to ClosedLoop AI as a workspace admin.
    2. Go to **Integrations** > **Google Workspace SSO**.
    3. Keep this page open. You will copy the generated **ACS URL** and **Entity ID** into Google Admin.
  </Accordion>

  <Accordion icon="building" title="Step 2: Create a custom SAML app in Google Admin">
    1. In Google Admin, go to **Apps** > **Web and mobile apps**.
    2. Click **Add app** > **Add custom SAML app**.
    3. Set the app name to **ClosedLoop AI**.
    4. Continue to the Google IdP details step.
    5. Copy the Google **SSO URL** and **Entity ID**.
    6. Download or copy the Google signing certificate.
  </Accordion>

  <Accordion icon="shield-check" title="Step 3: Configure service provider details">
    Paste the generated ClosedLoop AI values into Google.

    | Google field    | Value                                |
    | --------------- | ------------------------------------ |
    | ACS URL         | The **ACS URL** from ClosedLoop AI   |
    | Entity ID       | The **Entity ID** from ClosedLoop AI |
    | Start URL       | Leave blank                          |
    | Signed response | On                                   |
    | Name ID format  | `EMAIL`                              |
    | Name ID         | `Basic Information > Primary email`  |

    Signed response must be enabled because ClosedLoop AI verifies the SAML response signature. Members start sign-in from the ClosedLoop AI email screen, then return to ClosedLoop AI after Google verifies them.
  </Accordion>

  <Accordion icon="users" title="Step 4: Map attributes">
    Add these attribute mappings in Google Admin.

    | Google directory attribute          | App attribute |
    | ----------------------------------- | ------------- |
    | `Basic Information > Primary email` | `email`       |
    | `Basic Information > First name`    | `firstName`   |
    | `Basic Information > Last name`     | `lastName`    |

    These defaults match the attribute fields shown in ClosedLoop AI.
  </Accordion>

  <Accordion icon="save" title="Step 5: Save Google values in ClosedLoop AI">
    1. Return to **Integrations** > **Google Workspace SSO** in ClosedLoop AI.
    2. Paste the Google **Entity ID**.
    3. Paste the Google **SSO URL**.
    4. Paste the Google certificate.
    5. Keep **Enable Google Workspace sign-in** on.
    6. Keep **JIT provisioning** on if members should be created on first Google sign-in.
    7. Click **Save Google Workspace setup**.
  </Accordion>

  <Accordion icon="check-circle" title="Step 6: Turn the app on for users">
    In Google Admin, assign the ClosedLoop AI SAML app to the users or groups who should have access.

    Test with one user first. After confirming sign-in works, roll it out to the rest of the intended group.
  </Accordion>
</AccordionGroup>

## Testing

After configuration:

1. Assign a test user to the ClosedLoop AI SAML app in Google Admin.
2. Open ClosedLoop AI and enter the test user's email address.
3. Confirm ClosedLoop AI redirects the user to Google.
4. Complete Google sign-in.
5. Confirm the user returns to ClosedLoop AI.

## Troubleshooting

| Symptom                                                        | Fix                                                                                                                               |
| -------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------- |
| Google sign-in succeeds but ClosedLoop AI rejects the response | Confirm **Signed response** is enabled in Google Admin.                                                                           |
| The user is not allowed into ClosedLoop AI                     | Confirm the user is assigned to the Google SAML app, and JIT provisioning is enabled or the user already exists in the workspace. |
| ClosedLoop AI does not find the user's email                   | Confirm Google maps `Basic Information > Primary email` to the `email` app attribute.                                             |
| The browser returns to the wrong region                        | Recopy the ACS URL and Start URL from the ClosedLoop AI workspace you are configuring.                                            |

<CardGroup cols={2}>
  <Card title="Open ClosedLoop AI US" icon="log-in" href="https://app.closedloop.sh/integrations/google-workspace-sso">
    Configure Google Workspace SSO in a US workspace
  </Card>

  <Card title="Open ClosedLoop AI EU" icon="log-in" href="https://eu.app.closedloop.sh/integrations/google-workspace-sso">
    Configure Google Workspace SSO in an EU workspace
  </Card>
</CardGroup>
