Set up SSO with Google
This guide connects Google to KloudMate using OIDC, via OAuth credentials you create in Google Cloud. Google is OIDC-only here — there’s no SAML variant in this guide.
Before you start
Section titled “Before you start”- You’re the KloudMate organization owner on a paid plan.
- You can create credentials in a Google Cloud project.
- You use Google Workspace with your own domain (so you can verify it later).
1. Configure the OAuth consent screen
Section titled “1. Configure the OAuth consent screen”- In the Google Cloud console, pick or create a project.
- Go to APIs & Services → OAuth consent screen.
- Choose Internal if you want only your Workspace users (recommended), complete the app name and support email, and save.
2. Create OAuth credentials
Section titled “2. Create OAuth credentials”-
Go to APIs & Services → Credentials → Create credentials → OAuth client ID.
-
Choose Web application.
-
Under Authorized redirect URIs, add:
-
Create the client, then copy the Client ID and Client secret.
3. Add the connection in KloudMate
Section titled “3. Add the connection in KloudMate”Open Connections → Add connection, choose OIDC, and fill in:
-
Display name —
Google -
Discovery URL:
-
Client ID and Client secret — from the OAuth client
-
Scopes — leave as
openid email profile
Click Add connection.
Email mapping
Section titled “Email mapping”With the email scope (included by default), Google returns the user’s email in the ID token, which is exactly what KloudMate reads — no extra mapping needed.
4. Restrict to your domain
Section titled “4. Restrict to your domain”Because Google itself doesn’t gate this flow to one company, KloudMate’s domain verification does the gating:
- Verify your company domain — your Workspace domain, for example
acme.com. - Only emails on that verified domain route through this connection when someone signs in by email.
Then choose a provisioning mode. With invite-only, even a user who authenticates with Google must already be invited — recommended given Google’s open consent flow.
Finish up
Section titled “Finish up”Test sign-in: on the login page, type a Workspace email on your verified domain and click Sign in with SSO.
Hitting an error? See Troubleshooting.