Explore documentation

Google SSO using SAML

In this guide, you're going to learn how to connect Better Stack as a SAML application to your Google Workspace.

If you are using regular Google SSO, these steps aren't needed. SAML SSO is an advanced option, that allows more fine-grained control over who in your organization has access to Better Stack, by using Google Workspace groups.

Need help deciding between the SSO options? Got stuck setting things up?

Please let us know at hello@betterstack.com.

We're happy to help! 🙏

SSO set-up walkthrough

  1. Start the SSO set-up by going to Single Sign-On configuration. Note that only organization admins have access to these settings.
  2. On this page, in the Generic SAML SSO panel, click Connect.
  3. Select Google (SAML) from the list of supported providers.
  4. Keep this page open, we'll fill in more information in a moment!

We're going to switch to Google's Admin console now:

  1. Visit the Google Admin console.
  2. In the menu on the left, under Apps, choose Web and mobile apps.
  3. Click on Add app and choose Add custom SAML app from the dropdown.
  4. As the App name enter Better Stack.
  5. Copy the following fields, and paste them to Better Stack:
    • Copy SSO URL from Google and paste it as Identity Provider Single Sign-On URL on Better Stack
    • Copy the Certificate from Google and paste it as X.509 Certificate on Better Stack
  6. Click Continue in the Google Admin console.
  7. Fill in the Service provider details:
    • Copy the ACS URL from Better Stack and paste it as ACS URL on Google
    • Copy the Entity ID from Better Stack and paste it as Entity ID on Google
    • Check the Signed response box on Google
  8. Under Name ID format select EMAIL, then click Continue.
  9. In the Attributes table, we'll need to add three mappings:
    • Choose Basic Information > First Name and enter first_name as the App attribute
    • Click Add Mapping, then choose Basic Information > Last Name and enter last_name as the App attribute
    • Click Add Mapping, then choose Basic Information > Primary Email and enter email as the App attribute
  10. Click Finish.
  11. Now the application is configured, but nobody in your organization has access yet. We'll grant access in the next step.
  12. Click on the User access section.
  13. The next step depends on your preferred scenario:
    • To let everyone in your organization sign into Better Stack, set Service Status to ON for everyone, then click Save.
    • To limit access to a specific organizational unit, click Organizational Units, click on the unit that should have access, set Service Status to ON for everyone, then click Save.
    • To limit access to a specific group, click Groups, click on the group that should have access, set Service Status to ON, then click Save.
  14. Back at Better Stack, click Connect. You will be redirected to the Google Sign In page. Please sign in with a user that has the same Primary Email as the Better Stack account you are using.

Tada! Your Better Stack organization is now configured to use SAML SSO via Google.