Configuring SSO with Google Workspace

Use Google Workspace as your identity provider so DeployHQ users can authenticate with their Google accounts. DeployHQ acts as a SAML Service Provider, while Google Workspace provides the Identity Provider (IdP) metadata described below.

Prerequisites

• DeployHQ Enterprise subscription with access to Settings → SAML SSO
• Google Workspace Super Admin permissions
• User groups that should receive DeployHQ access

Step 1: Create a custom SAML app

1. Sign in to the Google Admin console and go to Apps → Web and mobile apps.
2. Click Add App → Add custom SAML app.
3. Enter an application name such as "DeployHQ" and optionally upload the DeployHQ logo, then click Continue.

Step 2: Gather Google IdP information

1. On the Google Identity Provider details page, click Download Metadata or copy the individual values displayed:
   • SSO URL
   • Entity ID
   • Certificate
2. Leave this tab open—you will paste these into DeployHQ shortly. Click Continue when you are ready to configure the Service Provider section.

Step 3: Enter DeployHQ service provider values

1. In the Service Provider Details form configure:
   • ACS URL: https://identity.deployhq.com/authentication/saml/acs
   • Entity ID: deployhq
   • Name ID format: EMAIL
   • Name ID: Basic Information → Primary Email
2. Click Continue. When prompted for attribute mapping you can optionally add:
   • FirstName → Basic Information → First name
   • LastName → Basic Information → Last name
3. Click Finish to create the application.

Step 4: Turn the app on for your users

1. After the app is created, open it and click User access.
2. Choose ON for everyone or ON for selected groups and save. Only the users you enable here will be able to use SSO with DeployHQ.

Step 5: Configure DeployHQ

1. In DeployHQ navigate to Settings → SAML SSO and click Configure SAML SSO.
2. Fill in the fields using the Google IdP details from Step 2:
   • Issuer → Google Entity ID
   • Login URL → Google SSO URL
   • Certificate → Paste the certificate body from the downloaded metadata file
3. Click Save Configuration while Enable SAML SSO is checked. You can later enable Enforce SSO after verification if you want to disable password logins.

Step 6: Test the sign-in

1. In an incognito window, go to the DeployHQ sign-in page and choose Sign in with SSO.
2. Enter your DeployHQ account domain. You should be redirected to Google for authentication and then back to DeployHQ.
3. If everything works, roll the configuration out to additional users and optionally enforce SSO.

Troubleshooting tips

• App not visible: Confirm the DeployHQ app is turned on for the user’s organizational unit or group.
• Google error app_not_configured_for_user: The user is not assigned to the DeployHQ SAML app; enable it for their OU/group.
• Email mismatch: Ensure the DeployHQ user’s email matches the Google primary email set as Name ID.
• Certificate issues: When copying from the metadata XML include the complete certificate block or re-download the metadata to avoid formatting issues.

Official resources

• Google Workspace Admin Help: Set up your own custom SAML app — authoritative walkthrough for creating a custom SAML app, downloading IdP metadata, and mapping attributes.