SSO setup — Google Workspace (OIDC)

3 min read · Updated 12 May 2026

Wire WBSync to Google Workspace via OpenID Connect. This is the smoothest setup of all the IdPs — about 6 minutes if you have admin access.

Step by step

1
Create OAuth client credentials

Open the Google Cloud Console → APIs & Services → Credentials for a project linked to your Workspace tenant. Click Create credentials → OAuth client ID → Web application.

2
Add the redirect URI

In the new client's Authorised redirect URIs, paste WBSync's Redirect URI (visible on the OIDC pane of /settings/sso/). Save.

3
Copy the client ID + secret

Google shows the Client ID and Client secret in a modal after you save. Copy both immediately.

4
Paste values into WBSync

On WBSync's OpenID Connect pane:

  • Issuer URL: https://accounts.google.com
  • Client ID: from step 3
  • Client secret: from step 3
  • Scopes: leave as openid email profile

Set the Email domain to your Workspace primary domain. Save.

5
Test, then enforce

Click Test connection. You'll be prompted to pick a Google account and consent — pick yours, land back on WBSync with the green badge. Tick "Enable SSO for this organisation" to make it live.

Frequently asked

Can the Owner still sign in if SSO breaks?

Yes. The Owner always retains password fallback at /accounts/login/, even with 'Require SSO for everyone except the Owner' switched on. This is the lockout escape — your IdP can go down and you still get back in to fix it.

What happens to existing users?

Their accounts are preserved. On their first SSO sign-in WBSync binds their IdP subject to the existing user row, so audit history, role and assignments carry over. If 'Require SSO for everyone except the Owner' is on (recommended), existing non-Owner users must be bound deliberately — see the JIT section.

What about new users? Do I have to invite them first?

No. JIT provisioning is on by default: the first time someone with your email domain signs in via the IdP, WBSync creates their account automatically with the role you picked on the SSO settings page (default: Foreman). You can change their role afterwards in the directory.

Is the OIDC client secret stored safely?

Yes — secrets are encrypted at rest with Fernet (AES-128-CBC + HMAC-SHA256), using the same key-rotation ceremony as our third-party clock-in integrations. The plain secret is never displayed back to you; paste a new one to rotate.

What does 'Test connection' actually do?

It runs a real round-trip with your IdP, but instead of signing you in it just records the outcome on the settings page. So you can sit in WBSync as the Owner, click the button, and watch the result land — without giving up your current session.

Related

Single Sign-On — overview
Single Sign-On · 3 min
SSO setup — Microsoft Entra (OIDC)
Single Sign-On · 4 min