Vectis
All guides

SSO with Google Workspace

Wire Google Workspace as a SAML IdP (Google’s workspace-SAML path is the standard) or use it as an OIDC provider via Google Cloud’s OAuth 2.0 client.

Which protocol

Google Workspace supports both OIDC (via Google Cloud’s OAuth client) and SAML (via the Workspace admin console). For a typical MSP:

  • SAML is simpler if you already manage custom SAML apps in Workspace → Apps → Web and mobile apps. No Google Cloud project required.
  • OIDC is the modern choice if you already have a Google Cloud project for your org — or if you want a single consent screen that matches other internal apps.

Option A – SAML via the Workspace admin console

  1. In the Workspace admin console, go to Apps → Web and mobile apps → Add app → Add custom SAML app.
  2. Name it Vectis. On the next screen, copy the SSO URL and download the Certificate (or copy its PEM text). Skip the IdP metadata download — Vectis takes the cert+URL directly.
  3. For ACS URL, paste the Vectis SAML ACS URL (ends in /api/auth/sso/saml/callback). For Entity ID, use the same URL or a human-readable value like https://your-workspace.mspvectis.com and enter that same value into Vectis’s SP Entity ID field.
  4. Under Attribute mapping, map Primary email to an attribute named email. Optionally map First name + Last name to displayName.
  5. Turn the app ON for everyone (or for a specific OU that covers your Vectis operators), then wait a minute for propagation. Google caches the app-enabled state briefly.
  6. In Vectis Admin → SSO, pick SAML. Paste the SSO URL into SSO Entry Point URL and the certificate into IdP Certificate. Add your Workspace domain to Allowed Email Domains. Save.

Option B – OIDC via Google Cloud OAuth client

  1. In Google Cloud Console → APIs & Services → OAuth consent screen, configure it as Internal (restricts sign-in to your Workspace tenant). Set the app name to Vectis.
  2. In Credentials → Create credentials → OAuth client ID, pick Web application. Under Authorized redirect URIs, add the Vectis OIDC redirect URI (ends in /api/auth/callback/sso-oidc).
  3. Copy the Client ID and Client Secret.
  4. In Vectis Admin → SSO, pick OIDC. For Issuer URL, use https://accounts.google.com. Paste the client ID and secret. Add your Workspace domain to Allowed Email Domains. Save and test.
Google’s SAML response includes a NotOnOrAfter of ~5 minutes after issuance. If your Vectis host’s clock drifts, all logins fail with a generic assertion error. Keep NTP running.

Troubleshooting

  • “invalid_grant” on the OIDC path — the OAuth consent screen is External but not verified, and your user isn’t on the test-users list. Flip the consent screen to Internal (assuming all your Vectis operators are in the Workspace tenant).
  • App restricted for security policy — the custom SAML app is OFF for the user’s OU. Workspace admin controls which OUs can reach which apps; enable the Vectis app for the Vectis-operators OU.

Still stuck?

Email support@mspvectis.com with the error message and we’ll unblock you.

SSO with Google Workspace | Vectis