Skip to content

Logging in to an Application Using Google

This tutorial guides you through configuring Google and WSO2 Identity Server (WSO2 IS) to enable users to log in to your application using their Google credentials. In this tutorial, Google is configured as a SAML2 federated identity provider (IdP) and a sample application called "Pickup" acts as the service provider. Follow the instructions in the sections below to set this up.

Before you begin

  1. Create a Google domain.
  2. Download and install Apache Tomcat version 8.*.* or higher.
  3. Install WSO2 IS version 5.9.0. by downloading the installer.
  4. Open the /etc/hosts file, add the following entry, and restart your computer.
    To avoid any IP address conflicts, ensure that this is the only entry for this IP address in the /etc/hosts file.


    This step is only required if you wish to use a WSO2 IS sample application to try out this scenario. If you wish to use your own application instead, you can skip this step.

Set up Google as a SAML IdP

  1. Access the Google Admin console by navigating to this URL:
  2. Log in using your administrator account.
  3. Click Admin Console.
  4. Click Apps and then click SAML apps.


    If you do not see the Apps button on the home page, click More Controls at the bottom of the page.


  5. Click on the more-controls-icon icon found at the bottom-right of the page.


  7. Click Download next to the IDP Metadata field to download the Google identity provider metadata.
    A GoogleIDPMetadata.xml file is downloaded on to your machine.

  8. Click Next and enter an Application Name and Description for your application. This is the name and description that your users will see.
    You can also upload an image of your logo.

  9. Click Next and enter the following details.


    In this tutorial, the Start URL configured below is the homepage URL of a WSO2 IS sample application called "Pickup".

    1. ACS URL: https://localhost:9443/commonauth
    2. Entity ID: wso2is1
    3. Start URL :
    4. Name ID Format: EMAIL start-url
  10. Click Next and then click Finish.

  11. Once the application is configured, click Edit Service and change the Service Status to ON. You can turn on the service for everyone or for some users only.

Configure Google as a SAML IdP in WSO2 IS

  1. Start WSO2 Identity Server by navigating to <IS_HOME>/bin/ folder and running the following command.

    • Windows
    • Linux/Unix
  2. Log in to the management console using admin/admin credentials.

  3. Click Add under Identity Providers on the Main tab.
  4. Enter "GoogleIdP" as the identity provider name and expand Federated Authenticators>SAML2 Web SSO Configuration.
  5. Select Enable SAML2 Web SSO and enter "wso2is1" as the Service Provider Entity ID.


    The Service Provider Entity ID value should be equal to the value you entered as the Entity ID when configuring Google.

  6. Select Metadata File Configuration as the Mode and upload the GoogleIDPMetadata.xml file you downloaded earlier.

  7. Click Register to save the identity provider configurations.

  8. Once the IdP is registered, it is listed under Identity Providers. Click Edit and expand Federated Authenticators>SAML2 Web SSO Configuration.

  9. Select Enable Logout and enter "" as the Logout URL. enter-the-logout-url

  10. Click Update to save the changes.

Set up the sample application


The instructions in this section are only required if you are using the Pickup sample application to try out this scenario. Skip the instructions in this section if you are using your own application instead.

  1. Deploy and configure saml2-web-app-pickup-dispatch sample application.
  2. Edit the above configured service provider to configure Google as the federated Identity Provider. Expand Local and Outbound Configuration and select Federated Authentication.
  3. Select "GoogleIdP" (the identity provider you created before) as the federated authenticator. googleidp

  4. Click Update to save.

Trying it out

  1. Access the Pickup sample application URL:
  2. Click Login. You are redirected to the Google login page.

  3. Sign in using your Google credentials. You are redirected to the Pickup sample homepage.

  4. On a new tab on your browser, access the following URL:


    You are automatically logged in to your Gmail using single sign-on (SSO).

  5. Next, logout from the Pickup application. To logout, click on your username on the top-left corner and click Logout.

  6. Access the Gmail tab. Note that you are logged out of Gmail using single logout.