Integrations

Google SSO (SAML)

Enforce SAML single sign-on with Google Workspace per email domain.

Wintro supports SAML 2.0 single sign-on for Google Workspace. Once enabled on an email domain, users on that domain are required to sign in through your Google IdP.

Note: SSO is a paid feature available on select Wintro plans. If your plan doesn’t include SSO, please contact our sales team to upgrade.

Tip: If you only need users to sign in with Google without enforcing it, Continue with Google works out of the box and requires no admin setup on the Wintro side.

How SSO Works in Wintro

Wintro’s SAML implementation is provider-agnostic: the Wintro side of the configuration is identical whether your IdP is Google Workspace, Microsoft Entra ID, or anything else SAML 2.0 compliant. You configure the SAML app in Google Workspace once, then a Wintro admin enables SSO on each email domain you want to enforce.

Prerequisites

  • Super admin access to your Google Workspace admin console
  • A Wintro plan that includes SSO
  • Wintro admin access (Authentication settings)
  • Each email domain you want to enforce SSO on must already be added in Wintro under Settings > Authentication > Email Domains

Step 1: Add Your Email Domain in Wintro

  1. In Wintro, go to Settings > Authentication
  2. Under Email Domains, click Add domain
  3. Enter the domain (e.g. acme.com) and pick Google Workspace as the identity provider
  4. Save

You can add multiple domains if your organisation owns several. SSO is enabled per domain, so you can roll it out gradually.

Step 2: Create a Custom SAML App in Google Workspace

  1. Sign in to admin.google.com as a super admin
  2. Go to Apps > Web and mobile apps
  3. Click Add app > Add custom SAML app
  4. Enter Wintro as the app name and click Continue
  5. On the Google Identity Provider details screen, you have two choices:
    • Recommended: download the IdP metadata XML file (you’ll upload it to Wintro)
    • Or copy the SSO URL, Entity ID, and download the certificate separately
  6. Click Continue

Step 3: Configure the Service Provider Side

On the Service provider details screen, your Wintro account manager will provide the exact ACS URL and Entity ID for your tenant. These are managed by Wintro’s auth provider, not displayed in the Wintro UI, so request them from support@wintro.ai before completing this step.

FieldValue
ACS URLProvided by Wintro support
Entity IDProvided by Wintro support
Name ID formatEMAIL
Name IDBasic Information > Primary email

Click Continue.

Step 4: Map Attributes

Add the following attribute mappings so Wintro receives the user’s name and email:

Google directory attributeApp attribute
Basic Information > Primary emailemail
Basic Information > First namefirstName
Basic Information > Last namelastName

Click Finish.

Step 5: Turn the App ON for Users

  1. From the SAML app’s overview page in Google Workspace, click User access
  2. Set the service status to ON for everyone (or scope to specific organisational units)
  3. Save

Step 6: Enable SSO in Wintro

  1. Back in Settings > Authentication, find the email domain you added in Step 1
  2. Toggle SSO to on, this opens the Configure SSO modal
  3. Choose how to provide the metadata Google gave you in Step 2:
    • URL — paste the SAML metadata URL from Google
    • File — upload the metadata XML file (.xml) you downloaded
  4. Click Enable SSO

Wintro registers the SAML provider against the domain. Users on that domain will now be redirected to Google when they enter their email on the Wintro login page.

Step 7: Test the Connection

  1. Open an incognito window
  2. Go to the Wintro login page and enter an email address on the SSO-enabled domain
  3. You should be redirected to Google for authentication
  4. After signing in to Google, you should land back in Wintro

If something goes wrong, double-check the attribute mappings (Step 4) and that the Wintro service is ON for the user’s organisational unit (Step 5).

Managing the SSO Configuration Later

In Settings > Authentication, the SSO provider card shows a truncated entity ID, the metadata source (URL or XML), how many domains it covers, and when it was created. Use the Edit button to swap out metadata (for example after rotating your IdP certificate) or the Delete button to remove SSO entirely. Removing the provider also disables the SSO toggle on every domain it was associated with.

Troubleshooting

“User not found” — The signed-in Google account’s email is on a domain that isn’t associated with your SSO connection in Wintro, or that user hasn’t been added to Wintro yet.

“Invalid SAML response” — The metadata uploaded in Wintro is stale. Re-download the metadata from the Google admin console and re-upload it via Edit on the SSO provider card.

Users redirected to Google but not back — Check that the Wintro service is ON in Google Workspace (Step 5) and that the ACS URL configured in Google matches the value Wintro support provided.

Continue reading
Integrations
Browser Extension
Read more
Integrations
Getting Started
Read more
Integrations
Teams App
Read more
← Previous OAuth Login
Next → Gmail