How to configure Single Sign-On to Continu using Google Workspace as the identity provider, via SAML 2.0.
Continu supports SAML 2.0 single sign-on. When configured, users authenticate through your identity provider rather than entering Continu-specific credentials. The integration handles login, plus optional attribute pass-through (first name, last name, additional fields).
This guide covers Google Workspace specifically. For other identity providers, see the related articles linked below. For the strategic context on user provisioning and identity, see Provisioning and Sync: How User Data Flows Into Continu.
Note: Existing learners may need to log out and back in for SSO to take effect on their accounts.
How to Configure Google SSO
1. In the Google Admin console (admin.google.com), go to SAML Apps.
2. Click Add + at the bottom right.
3. Click Set up my own custom app. The Google IDP Information window opens with the SSO URL and Entity ID auto-populated.
4. Copy the SSO URL and download the IDP metadata.
5. In a new tab, open Continu and go to Admin > Settings > Integrations. Select the SAML 2.0 option.
6. Add the XML file in the Setup SAML section. Either choose URL and paste the URL link to the XML data, or upload the XML file directly.
7. Work with your IT team to configure the remaining options for your IDP. Most XML files bind to HTTP-Post AND HTTP-Redirect; some bind to only one. Select the option that matches your IDP. The NameID field controls which attribute identifies users uniquely.
8. Save the integration in Continu.
9. Back in Google Admin, complete the Service Provider details using the values from Continu (SP Entity ID and ACS URL).
10. Configure attribute mapping in Google for email, first name, and last name.
11. Enable the SAML app for the appropriate Google org units.
Configuration Pitfalls
Existing Continu Sessions. Learners logged in before SSO was activated may need to log out and back in.
Wrong HTTP Binding Choice. HTTP-Post vs HTTP-Redirect — the wrong choice produces authentication failures. Check the XML metadata to confirm which binding your IDP uses.
NameID Field Mismatch. If the NameID doesn't match the email address Continu has for each user, SSO succeeds but Continu can't match the SAML response to an existing user record. Result: failed logins for users who do exist.
Org Unit Scope. Enabling the SAML app for only some Google org units means users outside those org units can't authenticate. Scope the app to all users who need Continu access.
Attribute Mapping Casing. Continu expects specific attribute names with specific casing. Mismatches in attribute names result in user records with missing first or last names.
Where This Fits
You're here because you're configuring Google SSO. For other identity providers, see the related articles. For the broader provisioning context, see Provisioning and Sync: How User Data Flows Into Continu.
See Also
- Provisioning and Sync: How User Data Flows Into Continu — the strategic anchor.
- Setting Up Single Sign On via Okta — Okta setup.
- Single Sign on via JumpCloud — JumpCloud setup.
- Single Sign On via OneLogin — OneLogin setup.
- Active Directory (ADFS) using SAML 2.0 — Microsoft ADFS setup.