Hi everyone,
While setting up Google Workspace SSO with UCS Keycloak, I noticed that Univention’s current documentation still references the older method for setting up Google SAML integration.
Specifically, the UCS Keycloak SAML client setup examples use a fixed client-id of google.com when configuring Keycloak:
UCS docs:
https://docs.software-univention.de/keycloak-migration/migration-examples/saml.html
However, Google has introduced a new mechanism based on SSO Profiles, where:
-
Each SAML app inside Google Admin has a unique SSO Profile ID.
-
Your Entity ID and ACS URL are now unique per app, e.g.:
Entity ID: https://accounts.google.com/samlrp/031vkzz123nmi111
ACS URL: https://accounts.google.com/samlrp/031vkzz123nmi111/acs
Therefore, when creating the Keycloak SAML client for Google Workspace now:
Client ID must match the full Entity ID from Google’s SSO Profile, e.g.,
https://accounts.google.com/samlrp/031vkzz123nmi111
There may be more changes required, I am not sure now because I tried dozens of things to fix this, but for sure the Client ID was a major thing.
Just thought to share.