How to set up single sign-on and auto-provisioning between G Suite and third-party apps

Connect third-party apps to G Suite with single sign-on and auto-provisioning to streamline account access, creation, and management

How to set up single sign-on and auto-provisioning between G Suite and third-party apps

When you start a new job at an organization that uses G Suite, you'll get your account name and password. You'll also likely need to sign-in to several other services, such as a human resources system, collaboration tools, messaging apps, a phone or conferencing system, and one--or more--databases, among many others.

Google provides two ways to help G Suite users and administrators streamline management of all these accounts: single sign-on (SSO) and auto-provisioning. SSO makes life easier for an account holder. They need to remember only their G Suite account sign-in information. That means people have fewer sign-in credentials to remember, which also may mean that your organization's help desk receives fewer password reset requests. Auto-provisioning makes management easier for a G Suite administrator: They need fewer steps to create, modify, or remove accounts. Both require configuration by a G Suite Admin before use.

Single sign-on

If you're a G Suite Administrator, you can configure single sign-on to let people in your organization sign-in with their G Suite account and then access third-party apps. Google has configured connections to about 75 other services, and gives you the ability to add others.

To connect G Suite to one of these pre-configured SSO apps, login as a G Suite administrator at, choose Apps, then SAML apps. Select the yellow circle with the plus in the middle (in the lower right corner) to add a new connection to a third-party app. Choose from the listed services, or create your own custom connection.

SEE: Kill the hassle of password management with Google Apps SSO

Photo of author holding G Suite sign with account info; arrow pointing from this photo to another photo with 16 images of the author holding signs with the logos of some apps that support SSO and auto-provisioning in G Suite

Single sign-on simplifies access for the account holder: One login provides access to many accounts. Auto-provisioning simplifies account creation for a G Suite admin. Once configured, adding a G Suite account automatically also adds an account for the user at the correct corresponding services.

Image: Andy Wolber/ TechRepublic


Google also supports auto-provisioning for about a quarter of the apps with preconfigured SSO. Provisioning means that when a G Suite administrator creates, modifies, or deletes a G Suite account, then an account for that user will be created, modified, or deleted at the connected service. Before you can configure auto-provisioning, you first have to set up single sign-on for the app.

To configure provisioning, you'll also need administrative access to the app you want to configure for auto-provisioning. For example, to connect Slack you'll need to sign-in to a Slack administrator account, while to connect Dialpad you'll need to contact the Dialpad support team. The process varies among the apps. Follow the specific instructions listed on the G Suite Automated user provisioning help page for the app you want to connect.

G Suite admins can control which users receive an account on a connected service. For example, you might want every user to receive a Dialpad account for phone services, but only a specific group of people need Zendesk accounts for customer support. You can set or adjust the scope to auto-provision accounts for the appropriate people. Note that even after you configure and activate provisioning, some services may require license assignments to newly added users.

You may choose what to do when an account is deprovisioned, meaning that the G Suite account changes to something other than active status. You can choose different deprovisioning options based on whether the app is turned off for a user, the user's G Suite account is suspended, or the user's G Suite account is deleted. In each case, you can delay account deletion for the connected account by a period of days: within 24 hours, after 1 day, after 7 days, or after 30 days. Whichever setting you select, be sure to give your IT team sufficient time to obtain and preserve data in accordance with your organization's data preservation policies.

The G Suite Edition you use determines the number of apps you may auto-provision. If you use the G Suite Basic, Government, or Nonprofit edition, your G Suite admin can configure auto-provisioning for up to three apps. Otherwise, if you use G Suite Education, Business, or Enterprise edition, an admin can configure all available apps for auto-provisioning.

As of January 2018, the apps that are available for auto-provisioning with G Suite include: Amazon Web Services, Asana, Box Enterprise, Dialpad, DocuSign, Evernote Business, Freshdesk, GoToMeeting, Lucidchart, Microsoft Office 365, RingCentral Office, Salesforce, Salesforce Sandbox, SAP Cloud Platform Identity Authentication, Slack, Smartsheet, Sugar, Workplace by Facebook, and Zendesk.

Your thoughts?

Have you configured SSO and auto-provisioning between G Suite and third-party apps? Does this configuration save your IT administrative team time? What additional steps do you take to preserve data when deprovisioning an account? Let me know-- either in the comments below or on Twitter (@awolber).

Also see