Google OIDC
Learn how to configure a connection to Google via OIDC.
Each SSO identity provider requires specific information to create and configure a new SSO connection. Often, the information required to create an SSO connection will differ by identity provider.
To create a Google OIDC SSO connection, you’ll need three pieces of information: a redirect URI, client ID, and client secret.
Start by logging in to your WorkOS dashboard and navigate to the Organizations page from the left-hand navigation bar.
Select the organization you’d like to configure a Google OIDC SSO connection for, and select Configure manually under Single Sign-On.
Select Google OIDC from the identity provider dropdown, click Create Connection.
Google OIDC is not available when SSO group role assignment is enabled due to a limitation with the groups claim.
WorkOS provides the Redirect URI, which can be found in the Service Provider Details section on the SSO connection page in the WorkOS Dashboard.
- Redirect URI: The endpoint where identity providers send authentication responses after successful login
The Redirect URI is the location an identity provider redirects its authentication response to. In Google’s case, it needs to be set as an Authorized redirect URI when configuring your OAuth client in the Google Cloud Console.
Specifically, the Redirect URI will need to be added to the Authorized redirect URIs section when creating your OAuth client, which is outlined in step 3 below.
You will need to obtain two pieces of information from the organization:
- Client ID: Application identifier from the OIDC provider
- Client secret: Authentication secret for the application
Normally, this information will come from the organization’s IT management team when they set up your application’s OAuth configuration in their Google Cloud Console. But, should that not be the case during your setup, the next steps will show you how to obtain it.
If you already have a Google Cloud project, skip this step.
Sign in to the Google Cloud Console.
From the top left navigation, click Select a project. Select an organization and then click Create project.
Enter a project name. Update the project organization and location if needed. Click Create.
From the top left navigation, click Select a project. Select the project you created in the previous step or one that is already set up.
Search for Google Auth Platform and select it from the results list.
Click Get started.
On the App Information step, enter an app name, such as your organization name. Select a user support email from the dropdown. Click Next.
On the Audience step, select Internal and click Next.
On the Contact Information step, enter a contact email and click Next.
Agree to the terms of service, click Continue and then Create.
From the left-hand sidebar navigation, click Clients and then click Create client.
From the Application type dropdown, select Web application.
Under the Authorized redirect URIs section, click Add URI. Copy the Redirect URI from your WorkOS Dashboard and paste it into the new redirect URI field.
Click Create.
From the OAuth client created modal, copy the Client ID and Client Secret values.
Back in the WorkOS Dashboard, enter the client ID, and client secret you obtained from Google into the respective fields in the Identity Provider Configuration section of the SSO connection.
Enter https://accounts.google.com/.well-known/openid-configuration in the Discovery Endpoint field, this is the same value for all Google Cloud Console projects.
Click Save Configuration.
Your Google OIDC connection is now configured and ready to use. Users within your organization will be able to authenticate through WorkOS using their Google credentials.
To start using this connection in your application, refer to the SSO guide for implementation details.