Skip to content

Google Workspace federation guide

Last updated on

Set up OpenID Connect (OIDC) federation with Google Workspace. The STACKIT IdP acts as the Relying Party (RP), and your Google Workspace environment acts as the Identity Provider (IdP).

OIDC federations in STACKIT can be configured to create users automatically at first successful login (also known as JIT user creation), depending on your onboarding requirements.

  • Auto creation enabled: Users are created on first successful OIDC login if they don’t already exist.
  • Auto creation disabled: Users must already exist (for example, through SCIM provisioning or manual setup) before they can log in.

Define your preferred mode during onboarding so the federation can be configured accordingly.

To configure this federation with Google, complete the steps below.

  1. Create Google Application: You need to create the application on Google in order to obtain the required credentials to set up the federation
    https://developers.google.com/identity/openid-connect/openid-connect
    When creating the client, the redirect URL’s is
    https://accounts.stackit.cloud/ui/login/login/externalidp/callback
  2. Token claims: The application will need to configure the token in “Token configuration” with the following claims:
    • email
    • family_name
    • given_name
    • preferred_username

Open a support ticket with the following information:

General information

  • Federation type: OpenID Connect (OIDC)
  • Reason for integration: Brief explanation (for example, “Enable SSO using Google Workspace”)
  • Email domains: All primary and secondary email domains your employees use with Google Workspace (for example, @example.org and @foobar.com)
  • User account creation mode: Auto creation enabled or Auto creation disabled

OIDC-specific information

Define claims mapping

You can indicate user field mapping from Google Workspace to our IdP. If you use the standard Google Workspace OIDC claims below, this is not required:

Confirm the federation works and report back to us so or any problem faced.

If you have an existing federation using a different protocol and switch to OIDC with Google Workspace, the transition is seamless. As long as email addresses remain the same, users won’t lose access or data. User accounts are tied to email addresses, not federation methods.