Under Google Workspace when configuring a SAML app you will only have the option to deploy one ACS URL currently. 

Documentation under - https://docs.vmware.com/en/VMware-Tanzu-CloudHealth/SaaS/using-and-managing-vmware-tanzu-cloudhealth/GUID-migrating-to-authhub-authentication.html#how-to-migrate-to-authhub-google-workspace-4 points to making use of the following ACS URL - https://access.broadcom.com/default/saml/v1/sp/acs

When using this ACS URL you will be able to successfully sign in, via https://apps.cloudhealthtech.com/login but won't be able to IDP initiate the connection via the https://workspace.google.com/ example below - 



It is possible to update the ACS URL to https://access.broadcom.com/default/saml/v1/sp/acs?sp=53359bda-9a9c-4264-a114-9a246544c372 and allow the above Google Workspace option to work, but this will then block sign ins via https://apps.cloudhealthtech.com/login where they will fail with error message - "Sorry, we are unable to log you in at this time.".

If you wish to only initiate the connection via Google Workspace please update the SAML app in Google Workspace to use the following ACS URL - https://access.broadcom.com/default/saml/v1/sp/acs?sp=53359bda-9a9c-4264-a114-9a246544c372

1. Open Google Workspace -> Apps -> Web and Mobile apps
2. Select your SAML app
3. Expand the Service Provider details section
4. Update the ACS URL from - https://access.broadcom.com/default/saml/v1/sp/acs to https://access.broadcom.com/default/saml/v1/sp/acs?sp=53359bda-9a9c-4264-a114-9a246544c372 and hit save
5. Users will now only be able to sign in by initiating the connection via Google Workspace

Note: Report share links, and biew alerts in emails will prompt the user to sign in via https://apps.cloudhealthtech.com/login which will fail, if you're using the IDP initiated route described above please ask users to authenticate first via Google Workspace before visiting the report share link or view alert link.