Hi @MikeS.53991 (Customer)​ , Thank you for reaching out to the Okta Community!

As per the Setup documentation, the SP initiated flow would be triggered by using the explicit URL.  

Another thing to look for is SSO profile assignment on the Google side, as described by the following article under "Decide which users should use SSO":

https://support.google.com/a/answer/12032922?visit_id=637956599577970270-3268553075&rd=1

If my answer helped, remember to mark it as best to increase its visibility for other members of the Okta Community who might have the same questions as you. 

Hope my answer helps! 

--------------------------------

The Okta Community Catalysts Program is now live. Collect online badges when you participate in the Okta Help Center Questions community. Learn more here.

Hi,

I am also a new customer with Okta and I am experiencing the exact same issue.

If we visit https://mail.google.com/a/[domain]/ServiceLogin?continue=https://mail.google.com we are redirected to Okta's sign in page. however when we go to https://mail.google.com or https://gmail.com and attempt to log in, we are asked for an email address on Google's website which we provide username@domain.tld and then the password prompt appears via Google's login page, not Okta's login page and we cannot login using the Okta credentials for that account as it is Google performing this authentication, not Okta.

I have followed the instructions listed in the knowledge base article and I have also set up the SP-initiated SSO in the default relay state. The same behavior is happening.

The network mask is setup correctly and it should be redirecting me to Okta's login page when I try to login via mail.google.com or gmail.com but it is not.

I have found 3 pages online (including this one) that talks about this issue but there's no clear resolution:

https://support.okta.com/help/s/question/0D51Y00009QXHCsSAP/g-suite-saml-sso-not-redirecting?language=en_US

https://support.okta.com/help/s/article/G-Suite-is-not-redirecting-the-users-to-Okta-for-authentication?language=en_US#

Just an update on this. It seems that only domain-specific URL's will be redirected by Google if the network mask setting is applied; so there's no way to test to see what happens if you attempt to login on gmail.com or mail.google.com without removing the network mask.

Google help article here: https://apps.google.com/supportwidget/articlehome?article_url=https%3A%2F%2Fsupport.google.com%2Fa%2Fanswer%2F6369487&product_context=6369487&product_name=UnuFlow&trigger_context=a

Hi Quentin,

Thanks for your info.

I was adding the SSO profile to specific OUs to prevent it causing a redirect for users who don't have Okta access yet. The redirect seems to work with gmail.com only for users that were imported directly from google into Okta. Users that were created in Okta then assigned to gmail do not redirect correctly. I'm unsure what's causing the issue. Is it working for you now?

I recently ran into this 404 SP-initiated issue when trying to use an individual SSO profile and found that I had to use the Org-Wide configuration instead.

In Google Admin Console

• Security > Authentication > SSO with third party Idp
• In the section "Third-party SSO profile for your organization"
• Use the details from the setup guide https://saml-doc.okta.com/SAML_Docs/How-to-Enable-SAML-2.0-in-Google-Apps.html

In the section "Manage SSO profile assignments."

• Choose the OrgUnit you want to deploy to, then choose "Organization's third-party SSO profile."
• 

Lastly, Check the section "Domain-specific service URLs."

• For domain-specific (mail.google.com/a/[company])
• Choose "Require users to enter their username on Google's sign-in page first" since the other setting is not recommended for an OrgUnit-specific setup.
• If you are testing with a Super Admin account, they will always receive the Google login regardless of the SAML configuration of that user's OrgUnit. (Google Support Doc)

I hope this helps!