docs-mintlify/admin/sso/google-workspace.mdx
Cube Cloud supports authenticating users through Google Workspace, which is useful when you want your users to access Cube Cloud using single sign on. This guide will walk you through the steps of configuring SAML authentication in Cube Cloud with Google Workspace. You must be a super administrator in your Google Workspace to access the Admin Console and create a SAML integration.
<Note>Available on Enterprise plan.
</Note>First, we'll enable SAML authentication in Cube Cloud. To do this, log in to Cube Cloud and
Click your username from the top-right corner, then click Team & Security.
On the Authentication & SSO tab, ensure SAML is enabled:
Take note of the Single Sign On URL and Service Provider Entity ID values here, as we will need them in the next step when we configure the SAML integration in Google Workspace.
Next, we'll create a SAML app integration for Cube Cloud in Google Workspace.
Log in to admin.google.com as an administrator, then navigate to
Apps → Web and Mobile Apps from the left sidebar.
Click Add App, then click Add custom SAML app:
| Name | Description |
|---|---|
| ACS URL | Use the Single Sign On URL value from Cube Cloud |
| Entity ID | Use the Service Provider Entity ID value from Cube Cloud |
On the final screen, click Finish.
From the app details page, click User access and ensure the app is ON for everyone:
In this step, we'll finalise the configuration by entering the values from our SAML integration in Google into Cube Cloud.
| Name | Description |
|---|---|
| Audience (SP Entity ID) | Delete the prefilled value and leave empty |
| IdP Issuer (IdP Entity ID) | Use the Issuer value from Google Workspace |
| Identity Provider Login URL | Use the Sign on URL value from Google Workspace |
| Certificate | Use the Signing Certificate value from Google Workspace |
Enable Auto-provision new users if you want users to be automatically created in Cube on their first login via this SAML provider. New users are assigned the Viewer role by default — see Default role for new users to choose a different role. Enable this if you are not using SCIM provisioning.
Scroll down and click Save SAML Settings to save the changes.
By default, users auto-provisioned via SAML receive the Viewer role. To assign a different role, expand the Advanced section of the SAML configuration form and pick from Default role for new users:
The selected role applies only when a user is first created. Existing
users are not modified on subsequent SSO logins. It is applied in
addition to any roles your identity provider sends via the role
attribute (subject to the rolesMap).
Admin status is not assignable through this picker — Admin is controlled separately. To grant admin permissions, update the user's role manually under Admin → Users.
</Info> <Warning>If the selected role is later renamed or deleted, new users will fall back to the Viewer role until you pick a valid role here. The Viewer fallback applies whenever the configured default cannot be resolved — whether that's because no default is set or the configured role no longer exists.
</Warning>To start using SAML authentication, use the
single sign-on URL provided by Cube Cloud
(typically <YOUR_CUBE_CLOUD_URL>/sso/saml) to log in to Cube Cloud.