SAML SSO with G Suite

My Mautic version is: 2.15.3
My PHP version is: 7.0.33-0+deb9u6

I am not able setup Mautic SAML SSO with G Suite.

I have setup SAML on G Suite and it provides to me two files as following.

1 - GoogleIDPMetadata.xml
2 - GoogleIDPCertificate.pem

These two files above I can load with no problem on Mautic. But Mautic asked me more two information such as:

3 - Private key
4 - Private key encryption password

To better clarify it, I have taken a screenshot, please have a look at:

My doubt is: What should I load on item 3 and 4 above?

Thanks in advanced.

Hello @acremonezi, welcome to the Mautic Community Forums!

Does the documentation here: help at all?

See particularly:

  1. Verify request signatures or a SSL certificate - If the IDP supports encrypting and validating request signatures from Mautic to the IDP, generate a self signed SSL certificate. Upload the certificate and private key through Mautic’s Configuration -> User/Authentication Settings under the Use a custom X.509 certificate and private key to secure communication between Mautic and the IDP. section. Then upload the certificate to the IDP.

So it seems this part is not mandatory, but if they support encryption then you need to generate the self-signed certificate and upload the private key in those parts.

hi! @rcheesley, thanks for your prompt repply.

I have read this documentation and follow it, I have used that to set it up, this item 5 you mension specially, was not enough to me, I suspected this may not be necessary, but even though its caused me doubts specially with usuing G Suite.

Assuming that the (3 - Private key and 4 - Private key encryption password) are not necessary the problem may be on G Suite setup.

I have done this screenshot of my G Suite setup, please access it here:

Could you please tell me if you are able to clarify my doubts on this setup?

Thanks so much in advanced.

Based on your screenshot, I believe the ACS field needs to be:

(according to point 3 on the Mautic docs)

The check box is whether or not to use the signing, which we are at this point not using (if you’re not providing the private key etc)

I believe the Name ID type should be Email, based on what you have chosen.

The mapping looks correct per this from the documentation:

  1. Custom attributes - Mautic requires 3 custom attributes that must be included in the IDP responses for the user email, first name and last name.

So maybe if you fix the URL in the ACS field and give it a go? I don’t know about the start URL but it seems to be optional so maybe leave it blank?

1 Like

Hi! @rcheesley, again thanks for your support, your guidance was very important to me.

Thanks a lot, with you help, I could solved it.

In order to help other people that may need it, I have made the screenshot bellow to clarify what was the steps done on G Site and Mautic in order to have it working.

Please, access it here:

Thanks again and best regards,


Glad to hear you got it solved! You can add an image to your forum post just by dragging it into the editor, FYI :slight_smile:

Thanks for reporting back with the solution!

hi! @rcheesley, thanks for the information.
I did not know this, on the next post I will apply this advice.
Best regards,

1 Like


I have follow all the steps but I’m still getting the following errors.
Invalid inbound message destination ""

[2020-12-05 11:54:43] app.EMERGENCY: Invalid inbound message destination “” {“profile_id”:“sso_sp_receive_response”,“own_role”:“sp”,“action”:“LightSaml\Action\Profile\Inbound\Message\DestinationValidatorResponseAction”,“top_context_id”:“00000000412d51f5000000005b9dd7af”,“top_context”:"[object] (LightSaml\Context\Profile\ProfileContext: {\n “root”: “LightSaml\\Context\\Profile\\ProfileContext”,\n “root__children”: {\n “http_request”: “LightSaml\\Context\\Profile\\HttpRequestContext”,\n “own_entity”: “LightSaml\\Context\\Profile\\EntityContext”,\n “inbound_message”: “LightSaml\\Context\\Profile\\MessageContext”,\n “inbound_message__children”: {\n “deserialization”: “LightSaml\\Model\\Context\\DeserializationContext”,\n “request_state”: “LightSaml\\Context\\Profile\\RequestStateContext”\n },\n “party_entity”: “LightSaml\\Context\\Profile\\EntityContext”\n }\n})"}

I’m using the docker version of Mautic, do i need to do anything extra?

Hi @ monkeymon, did you find a solution for this? I am having the same issue. Thanks