Configure SSO using SAML from Google GSuite

In this topic:

    This note describes how to configure your Dome9 account to use Single Sign-on (SSO) from Google GSuite using SAML. 

    1. In G Suite Admin console, navigate to SAML apps. 
    2. Click the “+” button to add a new service. 
    3. Click SETUP MY OWN CUSTOM APP. You will be presented with Step 2.
    4. Download the Certificate.  We will use it in a later step.
    5. Keep the Google Admin Console open on this page.
    6. In a new tab, open the Dome9 console and navigate to: Administration -> Account Settings -> SSO.
    7. Click Enable.
    8. On the Dome9 SSO Configuration page set the following:
      Account ID – This can be any text you want. No need to make it complicated 

      Issuer – Copy the “Entity ID” field from Step 2 of the G Suite page and paste it here. 
      Idp Endpoint URL - Copy the “SSO URL” field from Step 2 of the G Suite page and paste it here. 

      X.509 certificate - Using a text editor, open the certificate file you downloaded earlier and copy the full contents. Paste it in this field. 
      Just-in-time provisioning for the account – This option allows for Dome9 users to be created and deleted when a G Suite user is created or deleted.
    9. Click Save. The page will refresh and you should now see:
      Leave this page open.
    10. Switch back to G Suite Console and click Next.
    11. Fill in the details as you like. These are details that users will see.
    12. Click Next. Fill in the following fields.
      ACS URL – Copy this URL from the “Login Page” field of the Dome9 SSO Configuration. Add: /saml after the /sso (full URL should look like – 
      Entity ID - This is always
      Name ID Format – Change to “EMAIL”
    13. Continue to click Next until you are back at the SAML apps page.
    14. Click on the newly created Dome9 SAML app.
    15. Click Edit Service.
    16. Choose to turn ON/OFF for your organization (or specific groups).
    17. Switch back to Dome9 Console and navigate to: Administration -> Users
    18. Using the Actions menu next to a username, choose Connect to SSO to enable the user to login using SSO.


    1. When SSO is enabled, creating new users will enable SSO by default for the user.
    2. Connecting a user to SSO will disable the normal login method for that user.
    3. When disconnecting SSO from a user, the user will need to re-enable MFA in Dome9 console. (If MFA was originally used)

    Login using SSO

    If a user has permissions in G Suite AND Dome9 to use SSO, once logged in to their G Suite account, the user can click the menu in Google and choose Dome9 from the list of apps.