Skip to content
Vectis
All guides

SSO with Google Workspace

Wire Google Workspace as a SAML IdP (Google’s workspace-SAML path is the standard) or use it as an OIDC provider via Google Cloud’s OAuth 2.0 client.

Which protocol

Google Workspace supports both OIDC (via Google Cloud’s OAuth client) and SAML (via the Workspace admin console). For a typical MSP:

  • SAML is simpler if you already manage custom SAML apps in Workspace → Apps → Web and mobile apps. No Google Cloud project required.
  • OIDC is the modern choice if you already have a Google Cloud project for your org — or if you want a single consent screen that matches other internal apps.

Option A – SAML via the Workspace admin console

  1. In the Workspace admin console, go to Apps → Web and mobile apps → Add app → Add custom SAML app.
  2. Name it Vectis. On the next screen, copy the SSO URL and download the Certificate (or copy its PEM text). Skip the IdP metadata download — Vectis takes the cert+URL directly.
  3. For ACS URL, paste the Vectis SAML ACS URL (ends in /api/auth/sso/saml/callback). For Entity ID, use the same URL or a human-readable value like https://your-workspace.mspvectis.com and enter that same value into Vectis’s SP Entity ID field.
  4. Under Attribute mapping, map Primary email to an attribute named email. Optionally map First name + Last name to displayName.
  5. Turn the app ON for everyone (or for a specific OU that covers your Vectis operators), then wait a minute for propagation. Google caches the app-enabled state briefly.
  6. In Vectis Admin → SSO, pick SAML. Paste the SSO URL into SSO Entry Point URL and the certificate into IdP Certificate. Add your Workspace domain to Allowed Email Domains. Save.

Option B – OIDC via Google Cloud OAuth client

  1. In Google Cloud Console → APIs & Services → OAuth consent screen, configure it as Internal (restricts sign-in to your Workspace tenant). Set the app name to Vectis.
  2. In Credentials → Create credentials → OAuth client ID, pick Web application. Under Authorized redirect URIs, add the Vectis OIDC redirect URI (ends in /api/auth/callback/sso-oidc).
  3. Copy the Client ID and Client Secret.
  4. In Vectis Admin → SSO, pick OIDC. For Issuer URL, use https://accounts.google.com. Paste the client ID and secret. Add your Workspace domain to Allowed Email Domains. Save and test.
Google’s SAML response includes a NotOnOrAfter of ~5 minutes after issuance. If your Vectis host’s clock drifts, all logins fail with a generic assertion error. Keep NTP running.

Troubleshooting

  • “invalid_grant” on the OIDC path — the OAuth consent screen is External but not verified, and your user isn’t on the test-users list. Flip the consent screen to Internal (assuming all your Vectis operators are in the Workspace tenant).
  • App restricted for security policy — the custom SAML app is OFF for the user’s OU. Workspace admin controls which OUs can reach which apps; enable the Vectis app for the Vectis-operators OU.

Before you enforce: set a break-glass admin

Once Enforce SSO is on, every user on your allowed domains MUST sign in via Google. If Workspace has an outage or the OU/app assignment breaks, no-one can get in. The recovery path is a break-glass admin — an account that keeps Vectis password + MFA sign-in even when enforcement is on, and is scoped to ONLY the SSO settings page.

Add one from the Break-glass admin accounts card on the SSO settings page before flipping enforcement on. Read more about roles & permissions →

Still stuck?

Email support@mspvectis.com with the error message and we’ll unblock you.

Try Vectis free for 30 days.

Self-serve signup. No card required, cancel anytime. No call required, no demo required, no sales engineer required.
Start free trialSee pricing
SSO with Google Workspace | Vectis