# Google SSO using SAML

Learn how to connect Better Stack as a SAML application to your Google Workspace.

If you are using regular Google SSO, these steps are not needed. SAML SSO is an advanced option that allows more fine-grained control over who in your organization has access to Better Stack by using Google Workspace groups.

[info]
#### Need help deciding between the SSO options? Got stuck setting things up?

Please let us know at hello@betterstack.com. We're happy to help. 🙏
[/info]

## SSO setup

1. Go to [Single Sign-On configuration](https://betterstack.com/settings/sso ";_blank").
2. In the **Generic SAML SSO** panel, click **Connect** and select **Google (SAML)**.
3. Keep this page open. You will need the **ACS URL** and **Entity ID**.

### In Google Admin

1. Go to the Google [Admin console](https://admin.google.com ";_blank").
2. In the left menu, go to **Apps** → **Web and mobile apps**.
3. Click **Add app** and choose **Add custom SAML app**.
4. For **App name**, enter `Better Stack` and click **Continue**.
6.  Copy the following fields and paste them to Better Stack:
    * Copy **SSO URL** from Google and paste it as **Identity Provider Single Sign-On URL** in Better Stack.
    * Copy the **Certificate** from Google and paste it as **X.509 Certificate** in Better Stack.
7. Click **Continue**.
8. Fill in the **Service provider details**:
    *   For **ACS URL**, use the **ACS URL** from Better Stack.
    *   For **Entity ID**, use the **Entity ID** from Better Stack.
    *   Check the **Signed response** box.
9. Under **Name ID format**, select **EMAIL**, then click **Continue**.
10. In the **Attributes** table, add three mappings:
    *   Map **Basic Information > First Name** to `first_name`.
    *   Map **Basic Information > Last Name** to `last_name`.
    *   Map **Basic Information > Primary Email** to `email`.
11. Click **Finish**.
12. Click the **User access** section to grant access. You can enable the app for everyone, a specific organizational unit, or a group.
13. Set **Service Status** to **ON** for the desired users and click **Save**.

### In Better Stack

1. Paste the **SSO URL** from Google into the **Identity Provider Single Sign-On URL** field.
2. Paste the **Certificate** from Google into the **X.509 Certificate** field.
3. Click **Connect**. You will be redirected to Google to sign in.

Your Better Stack organization is now configured to use SAML SSO via Google.