<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Google Workspace Error “The domain is not configured to use single sign-on”
May 23, 2025
Single Sign-On
Okta Classic Engine
Okta Identity Engine
Overview

When configuring Google Workspace with Okta, customers may encounter the following error:

 

The domain is not configured to use single sign-on.

 

This issue has become more common with the introduction of Google’s new third-party SSO profiles. A limitation in this new setup currently prevents simultaneous support for both Service Provider (SP)-initiated and Identity Provider (IdP)-initiated login flows for users and super admins. 

 

Organizations must choose which login flow to prioritize based on their security posture and operational requirements.

Applies To
  • Single Sign On (SSO)
  • Google Workspace
Cause

The Relying Party ID (RPID) plays a key role in routing authentication requests for both users and super admins. When the RPID is configured in Okta, user authentication requests are correctly routed to allow both IdP and SP-initiated flows via Okta.

 

However, this setup interferes with the authentication flow for super admins. With the RPID set in Okta, IdP-initiated flows for super admins are routed to the same federated endpoint as users. This results in a couldn’t sign you in error for super admins, even if the “legacy SSO profile” is enabled as a workaround.

 

While the SP-initiated flow does not return an error, super admins are prompted to log in using their Google credentials instead of being redirected to Okta.

Solution

Ensure that users and super admins are in completely separate Organizational Units (OUs). Sharing the same parent OU will cause login issues.

 

  1. If it is desired to have both SP and IdP-initiated flows enabled for users:
  1. Set the RPID value in Okta.
  2. Assign the new SSO profile to the appropriate user OUs.

NOTE:

    • Super admins will encounter issues with IdP-initiated flows, receiving the error:

 

couldn’t sign you in

 

    • SP-initiated flows will allow login using Google credentials.

 

  1. If it is desired to have both login flows work for super admins:
  1. Remove the RPID value from Okta.
  2. Ensure the legacy SSO profile is enabled and assigned to all OUs.

NOTE:

    • Users will face issues with SP-initiated flows. They will be redirected to Okta but receive the error: 

 

404 – The requested URL /a/cpanel/[domain]/a... was not found on the server. That’s all we know.

 

    • IdP-initiated flows will work as expected without errors.

 

Related References

Recommended content

Still looking for help?
Loading
Google Workspace Error “The domain is not configured to use single sign-on”