Google Workspace federation guide
Last updated on
Set up OpenID Connect (OIDC) federation with Google Workspace. The STACKIT IdP acts as the Relying Party (RP), and your Google Workspace environment acts as the Identity Provider (IdP).
User account creation behavior
Section titled “User account creation behavior”OIDC federations in STACKIT can be configured to create users automatically at first successful login (also known as JIT user creation), depending on your onboarding requirements.
- Auto creation enabled: Users are created on first successful OIDC login if they don’t already exist.
- Auto creation disabled: Users must already exist (for example, through SCIM provisioning or manual setup) before they can log in.
Define your preferred mode during onboarding so the federation can be configured accordingly.
Step 0: Create a google Application
Section titled “Step 0: Create a google Application”To configure this federation with Google, complete the steps below.
- Create Google Application: You need to create the application on Google in order to obtain the required credentials to set up the federation
When creating the client, the redirect URL’s ishttps://developers.google.com/identity/openid-connect/openid-connecthttps://accounts.stackit.cloud/ui/login/login/externalidp/callback
- Token claims: The application will need to configure the token in “Token configuration” with the following claims:
- family_name
- given_name
- preferred_username
Step 1: Open a support ticket
Section titled “Step 1: Open a support ticket”Open a support ticket with the following information:
General information
- Federation type: OpenID Connect (OIDC)
- Reason for integration: Brief explanation (for example, “Enable SSO using Google Workspace”)
- Email domains: All primary and secondary email domains your employees use with Google Workspace (for example,
@example.organd@foobar.com) - User account creation mode:
Auto creation enabledorAuto creation disabled
OIDC-specific information
| Required field | Description | Your input |
|---|---|---|
| Issuer | Issuer identifier for Google’s OIDC service | https://accounts.google.com/ |
| Client ID | ID assigned to STACKIT service in your Google Cloud Project in Step 0 | Application (client) ID from credentials |
| Client secret | Secret key generated for the Client ID | Provide securely |
| Scopes | Required permissions (at least openid required) | openid email profile |
| Display name (optional) | Internal name for this federation (use lowercase letters and underscores) | google_workspace_acme_corp |
Define claims mapping
You can indicate user field mapping from Google Workspace to our IdP. If you use the standard Google Workspace OIDC claims below, this is not required:
| STACKIT IdP field | Google Workspace claim | Notes |
|---|---|---|
| Unique user ID | sub | Standard unique identifier from Google |
| Email address | email | User’s primary email address |
| Preferred name | name | User’s full name |
| First name | given_name | User’s first name |
| Last name | family_name | User’s last name |
Step 2: Verification
Section titled “Step 2: Verification”Confirm the federation works and report back to us so or any problem faced.
Changing federation type
Section titled “Changing federation type”If you have an existing federation using a different protocol and switch to OIDC with Google Workspace, the transition is seamless. As long as email addresses remain the same, users won’t lose access or data. User accounts are tied to email addresses, not federation methods.