Google (OIDC) SSO Setup Guide

Descope supports SSO providers both with OIDC and SAML. This guide will showcase how to integrate Google as an OpenID Connect (OIDC) SSO provider with a Tenant in Descope.

Configuration Steps

1. Tenant and SSO Setup

Begin by creating your tenant in Descope. Navigate to Authentication Methods under your tenant settings.
Select SSO, then choose OIDC from the available options.

2. Google Application Creation

You will need to follow the steps here, to create an OAuth Google app.

Once this step is completed, you can see Client ID , Client Secret which will be required while configuring SSO on Descope side.

Ensure your OIDC application is set to use Authorization Code. Configure the redirect URI to include Descope's OAuth callback.

If you're a Pro or Enterprise users, this callback will utilize your own custom domain or CNAME. Example : if auth.example.com is your custom domain, the redirect URI will look like https://auth.example.com/v1/auth/oauth/callback.
For others: Use the default https://api.descope.com/v1/oauth/callback.

Once you have the credentials application set up, create an Oauth consent screen app to fill in information about authorized domain, scopes and users.

Here the domain entered is descope.com. Click Save and Continue

3. Scope Configuration

Configure your Google to include the necessary scopes. At a minimum, you should have email , openid and profile.

4. Test User Setup

This step is entirely optional but if you wish you can add a test user to test the OIDC flow with Descope, this part is where you configure it.

5. OIDC Configuration in Descope

Under your Tenant Settings in the Descope Console, proceed to configure OIDC with the details from your Google setup:
- Input your SSO domain, this is the email domain of the users of your SSO-enabled tenant.
- Enter Google-OIDC as the Provider Name.
- Insert the Client ID, Client Secret, and scopes (openid, email, and profile) that you configured in Step 2 and 3.
- Change the grant type to Authorization Code.
- In the Connection Settings, input the authorization, token, userinfo, and JWKS endpoints provided by Google (usually found here).
- Ensure that attribute mapping is correctly set up to match the claims provided by Google.

At the end of the configuration, it should look something like this:

Handling Multiple Google Accounts

When using SSO with Google, a user may already be authenticated with one Google account that is not associated with the SSO for the given tenant. When this occurs, the flow will automatically try to authenticate the one account that's signed in without prompting the user to sign into a different Google account. When the non-SSO account returns to the flow, the user will see a 403 unauthorized error or a failed exchange of the SSO token. To resolve this, switch the Prompt configuration within the OIDC configuration of the tenant to Select Account, which will always prompt the user to select the Google account and give the ability to sign into another Google account.

Note

The Prompt configuration here have the same values being used with Custom Oauth providers. To learn more about Prompt refer here

6. Using SSO in Your Flow

Finally, use the SSO action within your Descope flow. Refer here to see how this can be achieved using Flow. Google will now serve as the SSO provider for all users associated with the specific tenant you configured.

By following these steps, you will have successfully set up Google as an OIDC provider using Authorization Code in Descope.

Was this helpful?

On this page