# Google Workspace

Avion supports Single Sign-On using Google Workspace and Cloud Identity through the generic OpenID connector. This guide will walk you through how to configure a Google Cloud Project and obtain the necessary configuration settings required for the integration.

### Step 1: Choose your SSO provider

In Avion, go to your organization's **Single Sign-On** section. Select **OpenID Connect** from the list of available providers:

![](https://3578170569-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LL6HR00hwiJJav4pLph%2Fuploads%2FsKFO6qLxgcxouooqN23i%2Fopenid-connect-selection.png?alt=media\&token=db42ffae-d559-41fb-a381-999e7813fe66)

### Step 2: Obtain OAuth 2.0 Credentials

We need to setup a new Google Cloud Project with OpenID configured as a credential so that we can obtain the following settings:

* Client ID
* Client Secret
* Authorization Endpoint
* Token Endpoint
* UserInfo Endpoint

#### Step 2.1: Create a Google Cloud Project

1. Go to your Google Developer Console dashboard for APIs & Services: <https://console.cloud.google.com/apis/dashboard>
2. Click **Create project**&#x20;
3. Complete the form, ensuring you set the Project name to **Avion**

<figure><img src="https://3578170569-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LL6HR00hwiJJav4pLph%2Fuploads%2FTG8JuyEHoLdjmr5tTpsF%2Fgoogle-workspace-new-project.png?alt=media&#x26;token=879e0779-b8d8-432c-8a8a-2d12986e6956" alt=""><figcaption></figcaption></figure>

#### Step 2.2: Configure OAuth consent screen

1. Under your chosen project, select **OAuth consent screen** from the left-hand menu
2. Choose **Internal** as the User Type to ensure only users within your Google Workspace organisation can authenticate
3. Click **Create**

<figure><img src="https://3578170569-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LL6HR00hwiJJav4pLph%2Fuploads%2FLWT3St1xON7BYp57hdla%2Fgoogle-workspace-consent-screen.png?alt=media&#x26;token=3eb6712a-9eaf-45ea-8b4b-2ff71811cbdb" alt=""><figcaption></figcaption></figure>

On the following **App information** screen, set the following values:

4. **App name:** Avion
5. **Support email:** Select appropriate option from dropdown
6. **App logo:** Download the logo below and upload

{% file src="<https://3578170569-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LL6HR00hwiJJav4pLph%2Fuploads%2F1KDWnHO4sSCLp6X6ycJn%2Favion-logo-sso.png?alt=media&token=5c2c1e7d-1668-4e8b-9a7e-e20e7e8b5b37>" %}

7. **Application home page:** <https://www.avion.io>
8. **Authorized domains:** avion.io
9. **Developer contact email:** Enter your IT team's email address
10. Click **Save and continue**

<figure><img src="https://3578170569-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LL6HR00hwiJJav4pLph%2Fuploads%2Fb88JhXpPFXkxuLeKBCR0%2FXnapper-2023-02-22-15.21.24.png?alt=media&#x26;token=c4a7907b-66ba-40ac-9449-fedbf05ad398" alt=""><figcaption></figcaption></figure>

11. On the next screen, add the following scopes, then click **Update**:
    1. **userinfo.email**
    2. **userinfo.profile**
    3. **openid**

<figure><img src="https://3578170569-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LL6HR00hwiJJav4pLph%2Fuploads%2Fz2zT8AQ38cuqPS5D6sok%2Fgoogle-workspace-scopes.png?alt=media&#x26;token=37f33490-72bd-4863-bac7-bf75ee8de9ea" alt=""><figcaption></figcaption></figure>

12. Finally, click **Save and continue**

#### **Step 2.3: Create OAuth client**

1. From the **Credentials** screen, click **Create credentials** and select **OAuth client ID**

<figure><img src="https://3578170569-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LL6HR00hwiJJav4pLph%2Fuploads%2F6RM1jqvexSnimF2Y6I1P%2Fgoogle-workspace-create-creds.png?alt=media&#x26;token=e3fc66b7-e3d6-49de-8286-269b4789160d" alt=""><figcaption></figcaption></figure>

2. On the next screen, set the following values:
   1. **Application type:** Web application
   2. **Name:** Avion
   3. **Authorized redirect URIs:** <https://auth.app.avion.io>
3. Click **Create**
4. Note down the **Client ID** and **Client secret**

<figure><img src="https://3578170569-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LL6HR00hwiJJav4pLph%2Fuploads%2FwHzrQlTVIEpneqTtErCW%2Fgoogle-workspace-oauth-client-values.png?alt=media&#x26;token=2599d247-0e5b-459d-9cb0-f6f144420b30" alt=""><figcaption></figcaption></figure>

### Step 3: OpenID Connect setup form

Now all that's left to do is configure our OpenID Connect integration using the values obtained from **Step 2** above:

1. **Client ID:** *use value obtained from **Step 2***
2. **Client secret:** *use value obtained from **Step 2***
3. **Auth endpoint:** <https://accounts.google.com/o/oauth2/auth>
4. **Token endpoint:** <https://www.googleapis.com/oauth2/v3/token>
5. **UserInfo endpoint:** <https://www.googleapis.com/oauth2/v3/userinfo>

Once you have populated the setup form with the relevant details, hit **Save Configuration** and you're done!

<figure><img src="https://3578170569-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LL6HR00hwiJJav4pLph%2Fuploads%2F0eS6GxVzli7tGDTD2dFW%2Fgoogle-workspace-avion-sso-form.png?alt=media&#x26;token=beaea3f0-96e3-4de2-bbb4-c2bf6b8c6d23" alt=""><figcaption></figcaption></figure>