Using Google as your Identity Provider (IdP)
  • 02 Aug 2023
  • 3 Minutes To Read
  • Dark
  • PDF

Using Google as your Identity Provider (IdP)

  • Dark
  • PDF

Article summary

Setting up Federated Authentication with Google

  1. Log in to Google Admin with an admin account and go to Apps > SAML apps
  2. Create a new application and select SETUP MY OWN CUSTOM APP.


  1. The next screen (Step 2 of 5) will contain information about the Google IdP. Copy the SSO URL, Entity ID and download the certificate from Option 1, because you will need them later. Select Next.

Step 2 of 5 - Google IdP information

  1. Fill in the Application Name and select Next

  2. You'll now need to fill in the provider details:
    google apps saml add new provider

    • ACS URL and Entity ID: add a URL that points to the login endpoint of Mambu (for example
    • Start URL: leave blank
    • Name ID: select Basic Information and Primary Email
    • Name ID Format: select EMAIL
    • Select NEXT
  3. Google will ask you to set up attribute mapping but you can skip this for now, we will cover this later when adding users and assigning roles

    google apps saml setup set up attribute mapping

  4. You can simply select FINISH and continue the setup in Mambu.

  5. In Mambu, on the main menu go to Administration > Access > Federated Authentication select the Enable Sign Sign-On check box with the Manual Settings option selected as well.

  6. Enter the Name you would like to use for your IdP

  7. Enter the Single Sign-On Endpoint, this will be the SSO URL from the Google IdP

  8. Enter the Certificate Fingerprint with the value of the following command:

    openssl x509 -noout -fingerprint -sha256 -inform pem -in {/path/to/certificate-file.crt}

    Do not forget to replace the placeholders above with the correct certificate name / path.

  9. Enter the Issuer ID, this will be the Entity ID from the Google IdP

  10. If an ACS URL is provided, it must match the ACS URL and Entity ID from Google IDP (this is optional and might be an URL pointing to a reverse proxy in case a specific tenant uses a private Mambu environment).

    Screen Shot 2019-02-01 at 10.56.43

  11. Select Test SSO Connection and enter the username and password of your Google account

  12. In case of a successful setup, you can select Save Changes.

Restrict access to only certain users

In case you want to limit Mambu access to specific users, you can use Google organizational units, as described in How the organizational structure works and Tailor service settings for different users.

  1. In Google, go to Manage organizational units and create a new item (such as "support") under your current one.

Organizational units screen with "support" subunit

  1. Go to Users and change the organizational unit for the desired users.

users screen with change organization unit option visible in menu

  1. Select your app from SAML apps and select Edit Service.
  2. On the panel from the left hand side, select Settings for specific organizational units.
    For example, for "", you can select OFF as Service status, whereas for "support" you can select ON.
  3. Under the Status, you should see something like "ON for some"


  1. Go to Mambu and try to log in with a user that belongs to the "support" organizational unit. The login should be successful.
  2. If you try to log in with a user that is not included in the "support" organizational unit, you should get a 403 error message.

Add and assign roles

  1. From Directory /Users list select Manage custom attributes.

Users list with "Manage custom attributes" button visibile

  1. Add custom attribute.

adding custom attribute with the category "federation roles" and the custom field name "RoleID"

  1. From the Users list, select a user and select the User information panel.

example user information panel

  1. For the RoleID custom attribute, select Edit and add a value. Even though we can configure multi values, currently in Mambu only the first one will be used.

adding the mambu-regular-user value to the RoleID field

  1. Add new attribute mapping (in SAML Apps)

attribute mapping when using google as an identity provider

Branch Assignment

For each of your users, you must also define the branch they are assigned to in Google. For more information, see Managing Users under Federated Authentication - Branch assignment.

The following are the main steps to perform branch assignment using Google as your IdP:

  1. Create a custom attribute called BranchID.


  1. Associate the BranchID custom attribute to the BranchID app attribute.

Mapping Branch ID attribute in Google identity provider

  1. Edit each user in your IdP to add the BranchID custom attribute to their profile and fill out the ID of the branch they are assigned to.


Was this article helpful?