Configuring your G Suite domain with SURFconext

In this tutorial, we will use the fictional Google Workspace domain of "myuniversity.com". This should be changed to your institution's Workspace domain name which you configured when creating your Workspace instance.

Note: uploading a file in the form (the certificate) may reset other, not yet saved, changes made in the form.


  1. Login to the Google Workspace administrative interface located at https://admin.google.com/myuniversity.com
  2. Go to Security  → Set up single sign-on (SSO) 
  3. Configure the fields as follows (see the screenshot below):
    1. Check the "Setup SSO with third party identity provider" checkbox

    2. Sign-in page URL:

      https://engine.surfconext.nl/authentication/idp/single-sign-on/key:20181213

    3. Sign-out page URL:

      https://engine.surfconext.nl/logout

      This is an informative page telling the user to log out by closing their browser.

    4. Change Password URL
      This field should point to your institution's change password page. See also the section here below

    5. Verification Certificate
      This contains the file containing the SURFconext signing certificate. Use this file with the following certificate or browser to https://metadata.surfconext.nl/ where you will find it under Security (engine.surfconext.nl 20181213 certificate):

      -----BEGIN CERTIFICATE-----
MIID7DCCAtSgAwIBAgIJAIgMqnMYZ+t6MA0GCSqGSIb3DQEBCwUAMIGFMQswCQYD
VQQGEwJOTDEQMA4GA1UECAwHVXRyZWNodDEQMA4GA1UEBwwHVXRyZWNodDEVMBMG
A1UECgwMU1VSRm5ldCBCLlYuMRMwEQYDVQQLDApTVVJGY29uZXh0MSYwJAYDVQQD
DB1lbmdpbmUuc3VyZmNvbmV4dC5ubCAyMDE4MTIxMzAeFw0xODEyMTMxNTI5MjBa
Fw0yMzEyMTMxNTI5MjBaMIGFMQswCQYDVQQGEwJOTDEQMA4GA1UECAwHVXRyZWNo
dDEQMA4GA1UEBwwHVXRyZWNodDEVMBMGA1UECgwMU1VSRm5ldCBCLlYuMRMwEQYD
VQQLDApTVVJGY29uZXh0MSYwJAYDVQQDDB1lbmdpbmUuc3VyZmNvbmV4dC5ubCAy
MDE4MTIxMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALPOGS+fBERf
mWiV8aV85z45QsuFw3gkq0HbWR1JGz7cjqhjV6YZHFXyRt4ikG//9BIHS0xc/cW1
sOMnSuCjDhY8Oh/dOk01zfgFXUcv+0iNlkEKGMlT/xJpIDIy/N4WjpGvkJO2oJHf
rQUY115Du56MSMqd0gPvo1OsDvXroYivqxYpTTHzaf5TYQYPf6n/3rEfsu3u6L3p
zE3/q38jnEyxfQ1UoZ9VF2Fy6oe/StlwhPUJhVwHlKDMqQ+T+tljDt26Ok9QL3zz
W9JtBo+pnydMT/rg5h7NW8A9HASLnRLK8rFD9nBEdAPkK+elTE6QddRiTh9H84KC
s0fQiiT6YFsCAwEAAaNdMFswHQYDVR0OBBYEFAJuZa7u0f0o2kB9uRPoB/ekx04s
MB8GA1UdIwQYMBaAFAJuZa7u0f0o2kB9uRPoB/ekx04sMAsGA1UdDwQEAwIHgDAM
BgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBXh5l8u+ncPXkMyDqDuikN
Le/X5j0KNjvqUtQ6QPRSt8MMvjRYWZdVC0gMOtKEAY1/cYnA2y+0yrGqmy9I/zBd
LV73BBLnVlV2WYATYOZLWNW36kjBtdSbH0oXBp7HOu/I4lP+Sv69eRN6p2/9CmDy
Kc5JUpXU3PEftv5Lwsqco8MMqqENhwzYlxRb96LFq08Un2QQoV60HqX4Ks79qUrn
jRL5pKtoP4ujLmPqQIieHpTgsvHSqSa+9tZMnyEaJEvl7vpNn1M7v1bWOWwjQvMl
YnSq5b0U5gHXgpdBYSfWnCwwpq4h8KHZ7/XVvOVsdYpjHap+907OGhqXGBsIqf9U
-----END CERTIFICATE-----
    6. Use a domain specific issuer
      Make sure to check this box. This enables SURFconext to distinguish between all connected Google Workspace domains.

  4. Register your Google Workspace domain with SURFconext using the SP Dashboard. Send a mail to support@surfconext.nl to gain access to the dashboard. Make sure you have the following at hand:
    1. There is no metadata file in Google Workspace. Please contact support@surfconext.nl if you are uncertain about what to use in the SP Dashboard.
    2. The attribute(s) that is used to provision your users to Google Workspace. You can review the available attributes here. Attributes like or combination of attributes like "urn:mace:dir:attribute-def:mail", "urn:mace:dir:attribute-def:uid", "urn:mace:terena.org:attribute-def:schacHomeOrganization"  and more are used for this service across SURFconext. Consider them wisely. Also specify if additional processing is necessary, for example because some attributes are multi-valued and do not always contain the correct email domain.
    3. This is a Single Tenant service. We can make sure this instance is hidden in Dashboards for other IdP's. On request you can whitelist IdP(s) that need access to your Google Workspace domain.