> ## Documentation Index
> Fetch the complete documentation index at: https://docs.strata.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Google Workspace (OIDC)

<Note>
  Google Workspace does not have a dedicated connector type. Use the generic `oidc` connector type with Google's OIDC discovery endpoint.
</Note>

The Maverics Orchestrator integrates with Google Workspace identity using the generic OIDC connector -- enabling single sign-on for applications that need to authenticate Google Workspace users.

<Note>
  **Console terminology:** In the Maverics Console, this section is called
  **Identity Fabric**. The YAML configuration uses the `connectors` key to define
  identity provider integrations.
</Note>

## Overview

Google Workspace supports standard OpenID Connect, so you can connect it to the Orchestrator using the generic OIDC connector with Google's well-known discovery URL. This approach works for organizations that use Google Workspace as their primary identity provider or for hybrid environments that combine Google and other identity platforms.

## Use Cases

* **Unify SSO for Google-first organizations** -- Extend Google Workspace authentication to legacy and enterprise applications that don't support Google login natively, creating a single sign-on experience across your entire app portfolio
* **Rationalize duplicate IdPs** -- Consolidate identity platforms by routing Google Workspace users to applications previously managed by a separate IdP, reducing licensing and operational overhead
* **Hybrid Google/Microsoft environments** -- Orchestrate authentication across Google Workspace and Microsoft Entra ID from a single point, unifying access for organizations running both platforms after mergers or acquisitions

## Setup

<Tabs>
  <Tab title="Console UI">
    <Note>
      The Console does not have a dedicated Google Workspace option. Use **Generic OIDC
      Configuration** since Google Workspace supports standard OpenID Connect.
    </Note>

    To configure Google Workspace as an identity provider in the Maverics Console:

    1. Navigate to **Identity Fabric** in the Console sidebar.
    2. Click **Create** and select **Generic OIDC Configuration**.
    3. Enter a **Name** for the connector (e.g., `Google Workspace`).
    4. Enter the **OIDC Well Known URL**: `https://accounts.google.com/.well-known/openid-configuration`
    5. Enter the **OAuth Client ID** from the Google Cloud Console (APIs & Services > Credentials).
    6. Enter the **OAuth Client Secret** from the Google Cloud Console.
    7. Add one or more **Redirect URLs** -- the callback URL where Google redirects after authentication. This must match an Authorized redirect URI in the Google Cloud Console.
    8. Optionally add **Logout Callback URLs** for single logout.
    9. Optionally enter **Scopes** (e.g., `openid profile email`). Separate multiple scopes with a space.
    10. **Proof Key for Code Exchange (PKCE)** is enabled by default. Google supports PKCE, so leave this on.
    11. Optionally enable **Offline Access** if you need refresh tokens for ongoing attribute retrieval.
    12. Click **Save**.
  </Tab>

  <Tab title="Configuration">
    ```yaml theme={null}
    connectors:
      - name: google
        type: oidc
        oidcWellKnownURL: "https://accounts.google.com/.well-known/openid-configuration"
        oauthClientID: "{{ env.GOOGLE_CLIENT_ID }}"
        oauthClientSecret: <vault.google_client_secret>
        oauthRedirectURL: "https://app.example.com/oidc/callback"
        scopes: "openid profile email"
    ```

    <Note>
      OAuth credentials for Google Workspace must be created in the Google Cloud Console under APIs & Services > Credentials. Create an "OAuth 2.0 Client ID" of type "Web application" and add the `oauthRedirectURL` to the Authorized redirect URIs.
    </Note>

    ## Configuration Reference

    | Key                 | Type   | Required | Description                                                                                      |
    | ------------------- | ------ | -------- | ------------------------------------------------------------------------------------------------ |
    | `name`              | string | Yes      | Unique connector identifier referenced in app policies                                           |
    | `type`              | string | Yes      | Must be `oidc` (Google uses the generic OIDC connector)                                          |
    | `oidcWellKnownURL`  | string | Yes      | Google's OIDC discovery endpoint: `https://accounts.google.com/.well-known/openid-configuration` |
    | `oauthClientID`     | string | Yes      | OAuth 2.0 client ID from the Google Cloud Console                                                |
    | `oauthClientSecret` | string | Yes      | OAuth 2.0 client secret (use secret reference syntax)                                            |
    | `oauthRedirectURL`  | string | Yes      | Callback URL registered in the Google Cloud Console credentials                                  |
    | `scopes`            | string | No       | Space-separated OAuth scopes (default: `openid profile email`)                                   |
    | `tls`               | string | No       | Named TLS profile for provider communication                                                     |

    For the complete field reference including health checks, offline access, and PKCE settings, see [Identity Fabric](/reference/orchestrator/identity-fabric#configuration-reference).
  </Tab>
</Tabs>

## Troubleshooting

* **Verify the OAuth consent screen** is configured in the Google Cloud Console -- the consent screen must be published or in test mode with authorized test users
* **Ensure the `oauthRedirectURL` matches exactly** what is registered in the Google Cloud Console under Authorized redirect URIs
* **Check that the client secret reference resolves correctly** via your secret provider

## Related Pages

<CardGroup cols={2}>
  <Card title="Identity Fabric" icon="id-badge" href="/reference/orchestrator/identity-fabric">
    Overview of all identity providers
  </Card>

  <Card title="Generic OIDC" icon="key" href="/reference/orchestrator/identity-fabric/custom-oidc">
    Generic OpenID Connect connector
  </Card>

  <Card title="Microsoft Entra ID" icon="microsoft" href="/reference/orchestrator/identity-fabric/azure-ad">
    OIDC connector for Microsoft Entra ID
  </Card>

  <Card title="Okta" icon="shield-halved" href="/reference/orchestrator/identity-fabric/okta">
    OIDC connector for Okta
  </Card>
</CardGroup>
