Google Workspace

Google Workspace does not have a dedicated connector type. Use the generic oidc connector type with Google’s OIDC discovery endpoint.

The Maverics Orchestrator integrates with Google Workspace identity using the generic OIDC connector — enabling single sign-on for applications that need to authenticate Google Workspace users.

Console terminology: In the Maverics Console, this section is called Identity Fabric. The YAML configuration uses the connectors key to define identity provider integrations.

Overview

Google Workspace supports standard OpenID Connect, so you can connect it to the Orchestrator using type: oidc with Google’s well-known discovery URL. This approach works for organizations that use Google Workspace as their primary identity provider or for hybrid environments that combine Google and other identity platforms.

Use Cases

Google SSO federation — Extend Google Workspace authentication to enterprise applications that don’t support Google login natively
Google-to-enterprise app bridging — Translate Google OIDC tokens into header-based or cookie-based authentication for legacy apps
Hybrid Google/Microsoft environments — Orchestrate authentication across both Google Workspace and Azure AD from a single point

Configuration

Console UI
Configuration

Console UI documentation is coming soon. This section will walk you through configuring this component using the Maverics Console’s visual interface, including step-by-step screenshots and field descriptions.

Google Workspace configuration screen in Maverics Console

connectors:
  - name: google
    type: oidc
    oidcWellKnownURL: "https://accounts.google.com/.well-known/openid-configuration"
    oauthClientID: "{{ env.GOOGLE_CLIENT_ID }}"
    oauthClientSecret: <vault.google_client_secret>
    oauthRedirectURL: "https://app.example.com/oidc/callback"
    scopes: "openid profile email"

OAuth credentials for Google Workspace must be created in the Google Cloud Console under APIs & Services > Credentials. Create an “OAuth 2.0 Client ID” of type “Web application” and add the oauthRedirectURL to the Authorized redirect URIs.

Configuration Reference

Key	Type	Required	Description
`name`	string	Yes	Unique connector identifier referenced in app policies
`type`	string	Yes	Must be `oidc` (Google uses the generic OIDC connector)
`oidcWellKnownURL`	string	Yes	Google’s OIDC discovery endpoint: `https://accounts.google.com/.well-known/openid-configuration`
`oauthClientID`	string	Yes	OAuth 2.0 client ID from the Google Cloud Console
`oauthClientSecret`	string	Yes	OAuth 2.0 client secret (use secret reference syntax)
`oauthRedirectURL`	string	Yes	Callback URL registered in the Google Cloud Console credentials
`scopes`	string	No	Space-separated OAuth scopes (default: `openid profile email`)
`oauthExtraParams`	map	No	Additional query parameters for the authorization request
`tls`	string	No	Named TLS profile for provider communication

For the complete field reference including health checks, offline access, and PKCE settings, see Identity Fabric.

Troubleshooting

Verify the OAuth consent screen is configured in the Google Cloud Console — the consent screen must be published or in test mode with authorized test users
Ensure the oauthRedirectURL matches exactly what is registered in the Google Cloud Console under Authorized redirect URIs
Check that the client secret reference resolves correctly via your secret provider

Identity Fabric

Overview of all identity providers

Custom OIDC

Generic OpenID Connect connector

Azure AD

OIDC connector for Microsoft Entra ID

Okta

OIDC connector for Okta

Console Administration

Orchestration

Overview

Use Cases

Configuration

Configuration Reference

Troubleshooting

Identity Fabric

Custom OIDC

Azure AD

Okta

Console Administration

Orchestration

​Overview

​Use Cases

​Configuration

​Configuration Reference

​Troubleshooting

​Related Pages

Identity Fabric

Custom OIDC

Azure AD

Okta

Overview

Use Cases

Configuration

Configuration Reference

Troubleshooting

Related Pages