Google (OIDC) SSO Setup Guide
Descope supports SSO providers both with OIDC and SAML. This guide will showcase how to integrate Google as an OpenID Connect (OIDC) SSO provider with a Tenant in Descope.
Configuration Steps
1. Tenant and SSO Setup
- Begin by creating your tenant in Descope. Navigate to
Authentication Methods
under your tenant settings. - Select
SSO
, then chooseOIDC
from the available options.
2. Google Application Creation
- You will need to follow the steps here, to create an OAuth Google app.
- Once this step is completed, you can see
Client ID
,Client Secret
which will be required while configuring SSO on Descope side.
- Ensure your OIDC application is set to use Authorization Code. Configure the redirect URI to include Descope's OAuth callback.
- If you're a Pro or Enterprise users, this callback will utilize your own custom domain or CNAME. Example : if
auth.example.com
is your custom domain, the redirect URI will look likehttps://auth.example.com/v1/auth/oauth/callback
. - For others: Use the default
https://api.descope.com/v1/oauth/callback
.
- Once you have the credentials application set up, create an
Oauth consent screen
app to fill in information about authorized domain, scopes and users.
-
Here the domain entered is
descope.com
. Click Save and Continue
3. Scope Configuration
- Configure your Google to include the necessary scopes. At a minimum, you should have
email
,openid
andprofile
.
4. Test User Setup
- This step is entirely optional but if you wish you can add a test user to test the OIDC flow with Descope, this part is where you configure it.
5. OIDC Configuration in Descope
- Under your Tenant Settings in the Descope Console, proceed to configure OIDC with the details from your Google setup:
- Input your SSO domain, this is the email domain of the users of your SSO-enabled tenant.
- Enter
Google-OIDC
as the Provider Name. - Insert the Client ID, Client Secret, and scopes (openid, email, and profile) that you configured in Step 2 and 3.
- Change the grant type to Authorization Code.
- In the Connection Settings, input the authorization, token, userinfo, and JWKS endpoints provided by Google (usually found here).
- Ensure that attribute mapping is correctly set up to match the claims provided by Google.
At the end of the configuration, it should look something like this:
Handling Multiple Google Accounts
When using SSO with Google, a user may already be authenticated with one Google account that is not associated with the SSO for the given tenant.
When this occurs, the flow will automatically try to authenticate the one account that's signed in without prompting the user to sign into a different Google account.
When the non-SSO account returns to the flow, the user will see a 403
unauthorized error or a failed exchange of the SSO token.
To resolve this, switch the Prompt
configuration within the OIDC configuration of the tenant to Select Account
, which will always prompt the user to
select the Google account and give the ability to sign into another Google account.
Note
The Prompt configuration here have the same values being used with Custom Oauth providers. To learn more about Prompt refer here
6. Using SSO in Your Flow
- Finally, use the SSO action within your Descope flow. Refer here to see how this can be achieved using Flow. Google will now serve as the SSO provider for all users associated with the specific tenant you configured.
By following these steps, you will have successfully set up Google as an OIDC provider using Authorization Code in Descope.