PPactDocs
Security & Privacy

SSO setup — Google Workspace

Step-by-step single sign-on setup for Google Workspace (OIDC), with exact OAuth client values, allowed domains, and enforcement.

Google Workspace connects to Pact via OIDC (not SAML). You create an OAuth 2.0 client in Google Cloud, paste the client ID/secret reference into Pact's guided wizard, and restrict to your domains. About 5 minutes.

Before you start

  • Owner or admin in Pact.
  • Access to Google Cloud Console for a project in your Google Workspace org.
  • Your Workspace domain (e.g. acme.com).

Pact's redirect URI

FieldValue
Authorized redirect URIhttps://<your-pact-host>/v1/auth/sso/oidc/callback

The exact value is shown (with a copy button) in the Google Workspace wizard at Admin → Single Sign-On → Google Workspace → Configure.

1. Create the OAuth client in Google Cloud

  1. Google Cloud Console → APIs & Services → Credentials → Create Credentials → OAuth client ID.
  2. Application type: Web application. Name it "Pact".
  3. Authorized redirect URIs → add Pact's redirect URI above.
  4. Create. Copy the Client ID and Client secret.
  5. Configure the OAuth consent screen as Internal so only your Workspace users can sign in.

2. Configure in Pact

  1. Admin → Single Sign-On → Google Workspace → Configure.
  2. Step 1 (Setup in Google) confirms the redirect URI — copy it into Google if you haven't.
  3. Step 2 (Credentials):
    • Client ID → from Google.
    • Client secret → store it via the credentials store (per Pact's credentials-via-UI rule, secrets are never environment variables).
    • Allowed email domainsacme.com (comma-separated; blank = any). This restricts which Google accounts may sign in.
  4. Step 3 (Save) writes the OIDC config (provider="google_workspace").

Pact validates Google's id_token strictly (issuer, audience, signature via Google's JWKS, expiry/nbf, nonce) and JIT-provisions the user on first login.

3. Test

Sign out, go to /login, and choose Sign in with Google (shown once the provider is enabled for your tenant). On success the user is created/linked and the event is audited.

4. Verify domain + enforce + break-glass

  1. Admin → SSO → Domains → add acme.com, add the DNS TXT record, Verify. Verified domains can auto-route new users to SSO.
  2. Designate a break-glass admin under Enforcement → Break-glass emergency admins first.
  3. Toggle Require SSO for all users to close password/passkey login.

Break-glass admins retain password login if Google sign-in is ever unavailable (audited as auth.break_glass.used).

Notes

  • Google Workspace can also do SAML if you prefer; this guide uses OIDC, which is the lower-friction path for Workspace.
  • For automated user provisioning/deprovisioning from Google, drive SCIM provisioning (Google supports SCIM via the Workspace Admin SDK / a SCIM connector) against https://<your-pact-host>/scim/v2.