SAML Configuration > G Suite (Google)
This guide explains how to configure your G Suite service as a SAML SSO identity provider (IdP) for use with the Pulumi Cloud Console. It assumes that a SAML-based organization has already been created for you in the Pulumi Cloud Console by a Pulumi administrator.
Creating the SAML Application
In the administrator console for your G Suite domain, open the flyout menu in the upper-left corner and choose Apps > SAML Apps.
Click the + symbol in the lower-right corner to create a new SAML application.
In the first step, click Set Up My Own Custom App.
Next, choose Option 2: Download IDP Metadata to download an XML document that identifies and describes your G Suite domain as a SAML IdP. We’ll use this document later to complete the process of configuring your Pulumi organization. For now, note the location of the downloaded file, then click Next to continue.
Give your SAML application a name (e.g., “Pulumi Cloud Console”) and an optional description and logo, then click Next.
In step 4, for the required ACS URL and Entity ID fields, enter the fully-qualified URLs of the
metadataendpoints of the Pulumi API, adjusted for your Pulumi API domain and organization. For example, if you were using the public Pulumi service, and the name of your Pulumi organization were
acmecorp, those values would be:
- ACS URL:
- Entity ID:
Leave the other fields as their default values, then click Next.
- ACS URL:
The final step, attribute mapping, is optional, but you may wish to use it to specify proper first and last names for your Pulumi users, based on their Google account profiles. The Pulumi service expects to receive these fields as as
Add them if you like, then click Finish and OK to confirm.
Finally, on the screen that follows, enable your newly created SAML application for your Google domain users:
Click Save to complete.
At this point, you’re done configuring G Suite, and can move on to completing SAML SSO setup in the Pulumi Cloud Console.
Configuring Your Pulumi Organization
The final step in the process consists of associating your Pulumi organization with your SSO identity provider.
Sign into the Pulumi Cloud Console where your SAML organization resides (e.g., https://app.pulumi.com), then navigate to the Settings tab for that organization.
Scroll to the SAML SSO Settings section, click into the Identity Provider Metadata field, and paste into that field the full contents of the XML IdP document you downloaded above.
Your Pulumi organization is now configured to use Google as a SAML SSO identity provider.
Signing into Pulumi with Google
Direct your users to the SAML-specific login page for your organization. For example, if you were using
the public Pulumi service, and the name of your Pulumi organization were
acmecorp, that URL would be
If you have any trouble configuring G Suite, signing into Pulumi, or need additional assistance, please contact us.