Configuring your G Suite domain with SURFconext

In this tutorial, we will use the fictional Google Workspace domain of "myuniversity.com". This should be changed to your institution's Workspace domain name which you configured when creating your Workspace instance.

Note: uploading a file in the form (the certificate) may reset other, not yet saved, changes made in the form.


  1. Login to the Google Workspace administrative interface located at https://admin.google.com/myuniversity.com
  2. Go to Security  → Set up single sign-on (SSO) 
  3. Configure the fields as follows (see the screenshot below):
    1. Check the "Setup SSO with third party identity provider" checkbox

    2. Sign-in page URL:

      https://engine.surfconext.nl/authentication/idp/single-sign-on/key:20230503

    3. Sign-out page URL:

      https://engine.surfconext.nl/logout

      This is an informative page telling the user to log out by closing their browser.

    4. Change Password URL
      This field should point to your institution's change password page. See also the section here below

    5. Verification Certificate
      This contains the file containing the SURFconext signing certificate. Use this file with the following certificate or browser to https://metadata.surfconext.nl/ where you will find it under Security (engine.surfconext.nl 20230503 certificate)

    6. Use a domain specific issuer
      Make sure to check this box. This enables SURFconext to distinguish between all connected Google Workspace domains.

  4. Register your Google Workspace domain with SURFconext using the SP Dashboard. Send a mail to support@surfconext.nl to gain access to the dashboard. Make sure you have the following at hand:
    1. There is no metadata file in Google Workspace. Please contact support@surfconext.nl if you are uncertain about what to use in the SP Dashboard.
    2. The attribute(s) that is used to provision your users to Google Workspace. You can review the Aattributes in SURFconext. Attributes like or combination of attributes like "urn:mace:dir:attribute-def:mail", "urn:mace:dir:attribute-def:uid", "urn:mace:terena.org:attribute-def:schacHomeOrganization"  and more are used for this service across SURFconext. Consider them wisely. Also specify if additional processing is necessary, for example because some attributes are multi-valued and do not always contain the correct email domain.
    3. This is a Single Tenant service. We can make sure this instance is hidden in Dashboards for other IdP's. On request you can whitelist IdP(s) that need access to your Google Workspace domain.