SSO Setup: Google Workspace

Google Workspace (formerly G Suite) acts as an OIDC provider via Google Cloud's OAuth 2.0 client credentials. The setup is in the Google Cloud Console, not the Workspace Admin Console β€” that's the most common source of confusion.

Before you start

  • Super Admin in your Google Workspace, OR an account with Owner/Editor on a Google Cloud project that lives in your organization.
  • Admin access in JAMS IMES.
  • The JAMS IMES Redirect URI from your /integrations/sso page.

Step 1 β€” Pick or create a Google Cloud project

  1. Open the Google Cloud Console.
  2. Top-left, click the project picker. Either:
    • Pick an existing project your org uses for OAuth/auth stuff, OR
    • Click New Project, name it JAMS IMES SSO (or similar), and pick your organization as the parent so it's scoped to your Workspace tenant.
  3. Make sure the project is selected (visible in the top bar) before continuing.

This is the one-time setup that tells Google "here's an app in this project that wants to authenticate users."

  1. Left sidebar (hamburger menu) β†’ APIs & Services β†’ OAuth consent screen.
  2. Pick User Type:
    • Internal β€” only users in your Google Workspace can use this OAuth app. Pick this for JAMS IMES β€” it's the safer default and avoids Google's app verification process.
    • External β€” anyone with a Google account. Don't pick this unless you have a specific reason.
  3. Click Create.
  4. App registration screen:
    • App name: JAMS IMES
    • User support email: an email in your domain
    • App logo: optional (skip)
    • App domain: optional (skip)
    • Authorized domains: add jamssoftware.com (or whatever your JAMS IMES host's parent domain is)
    • Developer contact information: an email in your domain
  5. Click Save and Continue.
  6. Scopes step: click Add or Remove Scopes. Add:
    • .../auth/userinfo.email
    • .../auth/userinfo.profile
    • openid Click Update, then Save and Continue.
  7. Test users step: only relevant for External apps. Since you picked Internal, just click Save and Continue.
  8. Final summary screen β€” Back to Dashboard.

Step 3 β€” Create the OAuth Client ID

Now the actual application credentials.

  1. Left sidebar β†’ APIs & Services β†’ Credentials.
  2. Click + Create Credentials at the top β†’ OAuth client ID.
  3. Application type: Web application.
  4. Name: JAMS IMES SSO Client (or similar β€” internal label only).
  5. Authorized JavaScript origins: leave blank. JAMS IMES doesn't need this.
  6. Authorized redirect URIs: click Add URI, paste the Redirect URI from JAMS IMES's /integrations/sso page (looks like https://notiphone-.../auth/sso/callback).
  7. Click Create.

A modal pops up with the Client ID and Client Secret. Copy both immediately.

Tip: unlike some IdPs, Google lets you see the Client Secret again later. But it's still good practice to stash it in a password manager right away. Find it later under Credentials β†’ click the OAuth client β†’ "ADDITIONAL INFORMATION" section.

Step 4 β€” Note the Issuer URL

For Google Workspace, the OIDC issuer is:

https://accounts.google.com

That's it β€” no per-tenant suffix. Google uses one issuer URL for all Google accounts; the OAuth app's hd (hosted domain) parameter is how it restricts to your Workspace domain. Since you picked Internal in Step 2, that restriction is already enforced.

Step 5 β€” Configure JAMS IMES

Open JAMS IMES β†’ /integrations/sso. Fill in:

FieldValue
Configuration nameGoogle Workspace (login button label)
Issuer URLhttps://accounts.google.com
Client IDfrom Step 3
Client Secretfrom Step 3
Scopesleave default openid profile email
Claim mappingsleave defaults β€” Google uses standard names (email, given_name, family_name)
Enforce SSOleave OFF for first test

Click Save Configuration.

Step 6 β€” Test the flow

  1. Open an incognito window.
  2. /login β†’ email of a JAMS IMES User whose email is also a Google Workspace user.
  3. Click Continue β†’ see Continue with Google Workspace button.
  4. Click it β†’ Google's account chooser.
  5. Pick your Workspace account, sign in.
  6. First time only: you'll see a consent screen ("JAMS IMES wants to access your basic profile info and email").
  7. Approve β†’ back to JAMS IMES dashboard, signed in.

Step 7 β€” (Optional) Enforce SSO

After at least one admin has confirmed SSO works, you can turn on Enforce SSO to require it for all users. See the SSO overview for safety notes before doing this.

Google-specific gotchas

ProblemCauseFix
Error 400: redirect_uri_mismatchThe Redirect URI in your OAuth client doesn't match what JAMS IMES sentOpen the OAuth client in Google Cloud Console β†’ Authorized redirect URIs β†’ check the URL matches the one in JAMS IMES's /integrations/sso page byte-for-byte (including https, trailing slash)
Error 403: org_internalApp is Internal but the user signing in isn't in your Workspace orgEither add them to your Workspace, or change User Type to External (and start app verification β€” long process). Internal is usually what you want.
Error: access_deniedUser declined the consent screenThey'll need to try again and approve. If they keep declining, ask why β€” sometimes the listed scopes look more invasive than they are.
Sign-in works but user_not_provisionedThe Google email isn't a JAMS IMES user yetInvite from Team Members first. No JIT in v1.

Maintenance notes

  • Client Secret rotation: Google doesn't force expiry. You can rotate proactively by clicking Reset Secret on the OAuth client; immediately update JAMS IMES with the new value.
  • Removing the integration: delete the OAuth client in Google Cloud Console β†’ also delete the SSO config in JAMS IMES. Existing sessions stay valid until JWT expiry (~8 hours), then users fall back to password login (if Enforce SSO is off) or get locked out (if on).

What's next