Google Workspace

Configure Google Workspace (formerly G Suite) for enterprise SSO using OpenID Connect.

Step 1: Create OAuth Credentials

Go to Google Cloud Console → APIs & Services → Credentials
Click "Create Credentials" → "OAuth client ID"
Select "Web application" as application type
Enter a name (e.g., "AccessIQ SSO")
Add Authorized redirect URI:https://auth.accessiq.io/callback/oidc
Click "Create" and save the Client ID and Secret

Step 2: Configure in AccessIQ

Configure Google Workspacebash

curl -X POST https://api.accessiq.io/v1/organizations/YOUR_ORG/identity-providers \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "type": "oidc",
    "name": "Google Workspace",
    "enabled": true,
    "config": {
      "clientId": "YOUR_GOOGLE_CLIENT_ID",
      "clientSecret": "YOUR_GOOGLE_CLIENT_SECRET",
      "issuer": "https://accounts.google.com",
      "scopes": ["openid", "profile", "email"]
    },
    "domains": ["yourcompany.com"],
    "settings": {
      "hostedDomain": "yourcompany.com"
    }
  }'

Restrict to Organization Domain

Use the hostedDomain setting to restrict authentication to users from your Google Workspace domain:

Domain Restrictionjson

{
  "settings": {
    "hostedDomain": "yourcompany.com"
  }
}

Security Note

Without domain restriction, any Google account can attempt to authenticate. Always configure the hosted domain for enterprise deployments.

Enable Directory API for SCIM

For automatic user provisioning, enable the Admin SDK API:

Go to Google Cloud Console → APIs & Services → Library
Search for "Admin SDK API" and enable it
Create a service account with domain-wide delegation
Grant the service account the required scopes in Google Workspace Admin