This guide covers setting up SSO with Google Workspace using either SAML or OIDC protocols.
Prerequisites
- Super Admin access to Google Workspace
- Completed Step 1 from the main SSO setup guide
- Your Fluint callback URL:
https://app.fluint.io/auth/sso-callback
Option 1: SAML Configuration (Recommended)
Step 1: Access Google Admin Console
- Sign in to the Google Admin Console at
admin.google.com - Navigate to Apps > Web and mobile apps
- Click Add app
- Select Add custom SAML app
Step 2: App Details
App name: Fluint Description: Fluint SSO Application (optional) App icon: Upload your company logo (optional)
Click Continue
Step 3: Google Identity Provider Details
Google will display the IdP information. Copy these values for later use in Fluint:
- SSO URL
- Entity ID
- Certificate (download or copy)
Click Continue
Step 4: Service Provider Details
ACS URL: https://app.fluint.io/auth/sso-callback Entity ID: https://app.fluint.io Start URL: https://app.fluint.io (optional) Signed response: Unchecked (default) Name ID format: EMAIL Name ID: Basic Information > Primary email
Click Continue
Step 5: Attribute Mapping
Add these attribute mappings:
| Google Directory attributes | App attributes |
|---|---|
| Primary email | email |
| First name | first_name |
| Last name | last_name |
Click Finish
Step 6: Enable the Application
- The app will be created but not enabled
- Click on the Fluint app you just created
- Click User access
- Select ON for everyone or ON for some organizational units
- If selecting specific OUs, choose the appropriate organizational units
- Click Save
Option 2: OIDC Configuration
Step 1: Access Google Cloud Console
- Go to the Google Cloud Console at
console.cloud.google.com - Select your project or create a new one
- Navigate to APIs & Services > Credentials
Step 2: Configure OAuth Consent Screen
- Click OAuth consent screen
- Select Internal (for Google Workspace users only)
- Fill in the required information:
- App name:
Fluint - User support email: Your admin email
- Developer contact information: Your admin email
- App name:
- Click Save and Continue
- Skip Scopes (click Save and Continue)
- Skip Test users (click Save and Continue)
Step 3: Create OAuth 2.0 Client ID
- Go to Credentials
- Click Create Credentials > OAuth 2.0 Client IDs
- Configure:
- Application type: Web application
- Name:
Fluint SSO - Authorized redirect URIs:
https://app.fluint.io/auth/sso-callback
- Click Create
Step 4: Get Configuration Details
From the created OAuth client, note:
- Client ID
- Client Secret
Complete Setup in Fluint
For SAML:
- IdP SSO URL: SSO URL from Google
- IdP Entity ID: Entity ID from Google
- X.509 Certificate: Certificate from Google (include headers)
For OIDC:
- Client ID: From Google Cloud Console
- Client Secret: From Google Cloud Console
- Issuer URL:
https://accounts.google.com - Authorization URL:
https://accounts.google.com/o/oauth2/v2/auth - Token URL:
https://oauth2.googleapis.com/token - UserInfo URL:
https://openidconnect.googleapis.com/v1/userinfo
Testing Your Configuration
- Follow the testing steps from the main guide
- Verify users are redirected to Google login page
- Confirm successful authentication returns them to Fluint
Troubleshooting Google Workspace
Common issues:
- App not enabled for user's OU - Check organizational unit settings
- User outside domain - Ensure user email domain matches your Workspace domain
- App access turned off - Verify the app is enabled in Admin Console
Important Notes
- Google Workspace SAML setup requires Super Admin privileges
- Users must be in organizational units where the app is enabled
- Changes may take up to 24 hours to propagate (usually much faster)
- Test with users in different OUs to ensure proper configuration