Google Workspace federation guide
Set up OpenID Connect (OIDC) federation with Google Workspace. The STACKIT IdP acts as the Relying Party (RP), and your Google Workspace environment acts as the Identity Provider (IdP).
Step 0: Create a google Application
Section titled “Step 0: Create a google Application”In order to configure this federation with Google we need the following steps to be completed from your side.
- Create Google Application: You need to create the application on Google in order to obtain the required credentials to set up the federation
When creating the client, the redirect URL’s ishttps://developers.google.com/identity/openid-connect/openid-connecthttps://accounts.stackit.cloud/ui/login/login/externalidp/callback
- Token claims: The application will need to configure the token in “Token configuration” with the following claims:
- family_name
- given_name
- preferred_username
Step 1: Open a support ticket
Section titled “Step 1: Open a support ticket”Open a support ticket with the following information:
General information
- Federation type: OpenID Connect (OIDC)
- Reason for integration: Brief explanation (for example, “Enable SSO using Google Workspace”)
- Email domains: All primary and secondary email domains your employees use via Google Workspace (for example,
@example.organd@foobar.com)
OIDC-specific information
| Required field | Description | Your input |
|---|---|---|
| Issuer | Issuer identifier for Google’s OIDC service | https://accounts.google.com/ |
| Client ID | ID assigned to STACKIT service in your Google Cloud Project in Step 0 | Application (client) ID from credentials |
| Client secret | Secret key generated for the Client ID | Provide securely |
| Scopes | Required permissions (at least openid required) | openid email profile |
| Display name (optional) | Internal name for this federation (use snake_case) | google_workspace_acme_corp |
Define claims mapping
You can indicate mapping field users from google workspace to our idp. That said, if the standard Google Workspace OIDC claims show below are used that is not required:
| STACKIT IdP field | Google Workspace claim | Notes |
|---|---|---|
| Unique user ID | sub | Standard unique identifier from Google |
| Email address | email | User’s primary email address |
| Preferred name | name | User’s full name |
| First name | given_name | User’s first name |
| Last name | family_name | User’s last name |
Step 2: Verification
Section titled “Step 2: Verification”Confirm the federation works and report back to us so or any problem faced.
Changing federation type
Section titled “Changing federation type”If you have an existing federation using a different protocol and switch to OIDC via Google Workspace, the transition is seamless. As long as email addresses remain the same, users won’t lose access or data. User accounts are tied to email addresses, not federation methods.