Skip to main content
Google Workspace can act as a SAML IdP for Planasonix through a custom SAML app. You need Google Workspace super admin (or delegated admin with Services → Settings for SAML apps) and organization admin in Planasonix.

Gather Planasonix URLs

From Settings → Security → SSO, copy:
  • ACS URL (Assertion Consumer Service URL)
  • Entity ID (SP entity identifier)
Google’s admin console asks for these as ACS URL and Entity ID (or equivalent labels in the SAML app form).

Create the custom SAML application

1

Open SAML app configuration

In Google Admin console, go to Apps → Web and mobile apps → Add app → Add custom SAML app.
2

Name and optional branding

Enter an app name (for example, Planasonix) and optional icon, then continue.
3

Enter service provider details

Choose I have SP metadata if Planasonix provides a metadata XML file; otherwise select Set up connection manually and enter:
  • ACS URL: paste the Planasonix ACS URL exactly.
  • Entity ID: paste the Planasonix Entity ID exactly.
  • Start URL (optional): your organization’s Planasonix login URL if Google prompts for it.
Set Name ID to EMAIL unless your Planasonix admin specifies PERSISTENT or another format aligned with your user matching rules.
4

Map attributes

Add attribute mappings so Planasonix receives email, first name, and last name using the attribute names shown on the Planasonix SSO configuration screen. Add group mappings only if your tenant uses group-based authorization from SAML.
5

Finish and turn the app on

Complete the wizard. Under User access, turn the SAML app ON for everyone or restrict to an Organizational Unit or Group for phased rollout.

X.509 certificate management

Google signs SAML assertions with an IdP certificate. Planasonix needs the current certificate (via metadata upload or manual paste) to validate signatures.
Download IDP metadata from the Google SAML app page or copy the X.509 certificate block into Planasonix along with SSO URL and Entity ID from Google.
Certificate renewal does not change your ACS URL or Entity ID. You typically update only the signing certificate or full IdP metadata in Planasonix.
Set a calendar reminder 30 days before certificate expiration. Pair renewal with a test login from an incognito browser using a non-production pilot account when possible.

Manual ACS and entity URLs

When you configure manually (no SP metadata file), double-check for typos, http vs https, and trailing slashes. Google and Planasonix both treat URLs as exact strings.
If users see Google authenticate successfully but Planasonix returns an error, verify ACS URL and Entity ID character-for-character against the Planasonix SSO screen. Mismatches are the most common root cause after certificate issues.

SSO overview

SAML setup summary and enforcing SSO for the org.

Teams and permissions

Group and role mapping after Google SSO.