WandoDocs
Home
Sign in
Overview

Single sign-on

  • Microsoft Entra ID
  • Google Workspace
  • Google Workspace (OIDC)
  • OktaOkta
  • Auth0
  • Generic OIDC

SCIM provisioning

  • Microsoft Entra ID
  • OktaOkta
  • Auth0

More provider guides are added as we ship them. Need one we don't cover? hej@wando.app

Browse all guides
Overview

Single sign-on

  • Microsoft Entra ID
  • Google Workspace
  • Google Workspace (OIDC)
  • OktaOkta
  • Auth0
  • Generic OIDC

SCIM provisioning

  • Microsoft Entra ID
  • OktaOkta
  • Auth0
© 2026 WandoDocs are continuously updated as the product ships.
Docs/Single sign-on

Google Workspace

~10 minutes

Set up SAML single sign-on with Google Workspace. Google hands you one metadata file that tells Wando everything it needs — no OAuth client to register and no client secret to rotate.

  • Sign-in must start from your Wando sign-in page — the app tile in Google's app launcher uses IdP-initiated sign-in, which Wando does not accept.
  • User access changes in Google can take up to 24 hours to propagate, though minutes is typical.

Before you start

  • Super admin access to the Google Admin console (admin.google.com).
  • Your Wando contact on the call or on standby — they hold two values you need in step 4, and receive the metadata file from you at the end.

Steps

  1. 1

    Open the Google Admin console

    Sign in to admin.google.com with a super admin account, then open Menu → Apps → Web and mobile apps.

  2. 2

    Add a custom SAML app

    Click "Add app" → "Add custom SAML app". Name it "Wando", optionally add a logo, and click "Continue".

  3. 3

    Download the IdP metadata

    You land on the "Google Identity Provider details" page. Click "DOWNLOAD METADATA" and keep the file (GoogleIDPMetadata.xml) — it contains the sign-in endpoint and signing certificate Wando reads its configuration from, and it is what you hand to your Wando contact at the end. Click "Continue".

  4. 4

    Fill in the Service provider details

    Enter the values from your Wando contact — they follow this pattern and are specific to your organisation:

    ACS URL
    https://www.wando.se/api/auth/sso/saml2/sp/acs/<your-provider-id>
    Entity ID
    https://www.wando.se/api/auth/sso/saml2/sp/metadata?providerId=<your-provider-id>
    Start URL
    (leave empty)
    Name ID format
    EMAIL
    Name ID
    Basic Information > Primary email
    Leave "Signed response" unchecked — Google signs the assertion either way, and that is what Wando validates. Click "Continue".
  5. 5

    Skip the attribute mapping

    Wando identifies people by the email address in the Name ID, so no additional attribute mappings are required. Click "Finish".

  6. 6

    Turn the app on

    Open the new Wando app from the apps list, click "User access", and set the service to "ON for everyone" — or enable it per organisational unit or group if only part of the company should have access. Click "Save".

    Google says changes can take up to 24 hours to propagate. In practice it is usually minutes, but a failed test sign-in right after saving may just be propagation lag.
  7. 7

    Test the sign-in

    Once your Wando contact confirms the provider is live, go to your organisation's Wando address and click the Google sign-in button. You should land on the Google prompt and come back signed in.

    Always start from the Wando sign-in page. Launching from the Google apps grid starts the sign-in on Google's side, which Wando rejects by design.

Hand off to Wando

Send your values to your Wando contact

hej@wando.app

Send the values below to your Wando contact. They will connect your organisation and confirm when Google sign-in is live for your users.

Suggested provider ID
google-<short-org-name> (lowercase, hyphens only)
Email domain
acme.com (the domain your people sign in with)
IdP metadata
The GoogleIDPMetadata.xml file from step 3 — attach it or paste its contents