# SSO with GSuite (Google Workspace)
### Vectra configuration
Vectra’s SAML and your Identity Provider settings need to be configured in parallel. To start, log in to your Vectra account as an administrator.
1. Navigate to **Settings > Global Security/SSO** and enable **SAML Single Sign-on**:
2. Copy the **Assertion consumer service (ACS) URL** in the **SAML Single Sign-On Settings** page that appears.. It will be needed as input into Auth0 later.
### GSuite Walkthrough
1. Starting from select **Apps > Web and mobile apps**.
Select Web and mobile apps from admin console menu
2. Select **Add custom SAML app** from the **Add App dropdown**
Select Add custom SAML app from Add an app dropdown
3. Provide the application name and logo.
1. App name: Vectra
2. App logo (optional, right-click on image below to save to file):
 Vectra logo (to save as file)
Enter App name and (optionally) logo
3. Click Continue. On the next page, download the Metadata file.
4. Next, upload the metadata file to Vectra in the **Metadata** section in the **Essentials** screen in the **SAML Single Sign-On Settings** page
5. Once the metadata file has been uploaded, go back to GSuite, click "Continue", then perform the following:
1. Copy the **ACS URL** and **Entity ID** from Vectra back to GSuite.
2. Check the "**Signed response**" checkbox
3. Set the Name ID format to **EMAIL**
4. Set Name ID to **Basic Information** > **Primary email**
6. Click Continue. Next we will add attribute mappings which will create the user fields provided to Vectra.
7. **Add a Role to the SAML attributes**: Google not have `role` as one of their available user attributes. However, role can be managed in google by using User Groups. The Group information can be passed in the SAML response to be used as role information.
8. Configure the role mapper in netography to match the group attribute name\
### Vectra post-configuration
1. Return to the Vectra portal, and upload the **Identity provider metadata** file you downloaded above.
2. Click Next
3. Now configure the **User attribute mappers** to match the mapper values configured in Auth0 above:
4. Click Next.
5. Next configure the Default user role and role mappers:
1. Default user role: This is the role an IDM-authenticated user will default to if the role mappings are not found in the SAML exchange. For security purposes, we recommend setting this value to "readonly", but you may want to set this to "admin" as you are testing your configuration.
2. Admin role mappers: Configure these according to the screenshot below:
6. Click the **Save** button.
Done! Now your users can log in directly via your identity provider using a new account-specific login URL. The new SSO Login URL can now be found under the **Essentials** settings in the **SAML Single Sign-On Settings** page.
{% hint style="warning" %}
**🚧The default login will still work for your account administrator, which is not bound to your IDM.**
{% endhint %}
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.fusion.vectra.ai/settings/user-management/index-2/configuring-sso-with-gsuite.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.