Skip to main content
Google Workspace does not have a dedicated connector type. Use the generic oidc connector type with Google’s OIDC discovery endpoint.
The Maverics Orchestrator integrates with Google Workspace identity using the generic OIDC connector — enabling single sign-on for applications that need to authenticate Google Workspace users.
Console terminology: In the Maverics Console, this section is called Identity Fabric. The YAML configuration uses the connectors key to define identity provider integrations.

Overview

Google Workspace supports standard OpenID Connect, so you can connect it to the Orchestrator using the generic OIDC connector with Google’s well-known discovery URL. This approach works for organizations that use Google Workspace as their primary identity provider or for hybrid environments that combine Google and other identity platforms.

Use Cases

  • Unify SSO for Google-first organizations — Extend Google Workspace authentication to legacy and enterprise applications that don’t support Google login natively, creating a single sign-on experience across your entire app portfolio
  • Rationalize duplicate IdPs — Consolidate identity platforms by routing Google Workspace users to applications previously managed by a separate IdP, reducing licensing and operational overhead
  • Hybrid Google/Microsoft environments — Orchestrate authentication across Google Workspace and Microsoft Entra ID from a single point, unifying access for organizations running both platforms after mergers or acquisitions

Setup

The Console does not have a dedicated Google Workspace option. Use Generic OIDC Configuration since Google Workspace supports standard OpenID Connect.
To configure Google Workspace as an identity provider in the Maverics Console:
  1. Navigate to Identity Fabric in the Console sidebar.
  2. Click Create and select Generic OIDC Configuration.
  3. Enter a Name for the connector (e.g., Google Workspace).
  4. Enter the OIDC Well Known URL: https://accounts.google.com/.well-known/openid-configuration
  5. Enter the OAuth Client ID from the Google Cloud Console (APIs & Services > Credentials).
  6. Enter the OAuth Client Secret from the Google Cloud Console.
  7. Add one or more Redirect URLs — the callback URL where Google redirects after authentication. This must match an Authorized redirect URI in the Google Cloud Console.
  8. Optionally add Logout Callback URLs for single logout.
  9. Optionally enter Scopes (e.g., openid profile email). Separate multiple scopes with a space.
  10. Proof Key for Code Exchange (PKCE) is enabled by default. Google supports PKCE, so leave this on.
  11. Optionally enable Offline Access if you need refresh tokens for ongoing attribute retrieval.
  12. Click Save.

Troubleshooting

  • Verify the OAuth consent screen is configured in the Google Cloud Console — the consent screen must be published or in test mode with authorized test users
  • Ensure the oauthRedirectURL matches exactly what is registered in the Google Cloud Console under Authorized redirect URIs
  • Check that the client secret reference resolves correctly via your secret provider

Identity Fabric

Overview of all identity providers

Generic OIDC

Generic OpenID Connect connector

Microsoft Entra ID

OIDC connector for Microsoft Entra ID

Okta

OIDC connector for Okta