Skip to main content

Google SSO

In this guide, you'll learn how to set up Google as a Single Sign-On provider in Coalesce.

Google Administrator

You must be a Google Cloud or Google Workspace Administrator with access to the Google Cloud Console to complete this process.

Before You Begin

Check Your Subdomain

Your subdomain is the subdomain of your Coalesce instance. For example, if you log in at https://yoursubdomain.app.coalescesoftware.io/, your subdomain is yoursubdomain.

To check if you already have a subdomain, go to your organization's Single Sign-On settings.

If you don't have a subdomain, you can add one in the Subdomain box. Coalesce automatically configures your subdomain based on the name you enter. Check with your IT team before adding it to your organization's settings.

Coalesce Org Settings Single Sign-On page showing empty Authority, Subdomain, Authorization Server, and OIDC Client ID fields

Google Setup

Google uses OpenID Connect for SSO. You'll create an OAuth 2.0 Client ID in the Google Cloud Console, which produces the Client ID and Client Secret you enter in Coalesce.

  1. In the Google Cloud Console, select or create the project you want to use for SSO.
  2. If you have not already configured the OAuth consent screen, go to APIs & Services > OAuth consent screen, then click Get Started.
  3. On App Information, enter the required details:
    1. App name
    2. User support email
  4. On Audience, select Internal. This limits the application to users in your organization.
  5. On Contact Information, enter the email address for someone who needs to be notified of changes by Google.
  6. On Finish, accept the Google API Services User Data Policy, then click Create.
Google Cloud OAuth consent screen Project configuration Finish step with User Data Policy checkbox and Create button

Configure Credentials

  1. Go to APIs & Services > Credentials.

  2. Click Create Credentials, then select OAuth client ID.

    Google Cloud Console Credentials page with Create credentials button and empty OAuth 2.0 Client IDs table

  3. Set Application type to Web application and enter a name, for example Coalesce SSO.

  4. Under Authorized redirect URIs, add the Coalesce callback URL. Replace yoursubdomain with the subdomain you created in Coalesce:

    • https://yoursubdomain.app.coalescesoftware.io/login/callback

  5. Optional: Under Authorized JavaScript origins, add your Coalesce login origin:

    • https://yoursubdomain.app.coalescesoftware.io
    Google Cloud Create OAuth client ID form with Web application type, authorized JavaScript origin, and redirect URI for Coalesce

  6. Click Create. Google displays a popup with your Client ID and Client Secret. Copy both values. You'll enter them in the Coalesce SSO configuration. You can also retrieve the Client Secret later from the credential details page.

Coalesce SSO Configuration

  1. Open a new window.

  2. Sign in to your Coalesce App using your username and password.

  3. Go to Organization Settings > Single Sign-On.

  4. Use the table below to map each Coalesce field to the Google values you collected:

    FieldDescription
    AuthorityThe system being used for Single Sign-On. Choose Other.
    SubdomainThe subdomain you created during Before You Begin.
    Authorization Serverhttps://accounts.google.com
    OIDC Client IDThe Client ID from Google. It ends in .apps.googleusercontent.com.
    Server-Side AuthorizationToggle on. Google blocks browser cross-origin requests to its OpenID configuration and token endpoints, so server-side authorization is required.
    Authorization Endpointhttps://accounts.google.com/o/oauth2/auth. This field appears when Server-Side Authorization is on.
    Client SecretThe Client Secret from Google. Required for OIDC providers such as Google that require a client secret for server-side authentication. Click Edit to enter or update it.
    Coalesce Org Settings Single Sign-On page filled in for Google with Other authority, subdomain, authorization server, OIDC Client ID, Server-Side Authorization enabled, authorization endpoint, and Client Secret

  5. Click Save.

  6. Log out of Coalesce.

  7. Go to your Coalesce login page, for example https://yoursubdomain.app.coalescesoftware.io/, and click Use Single Sign-On to log in with Google.

If you see an error message instead of the sign-on button, check that you entered the Client ID, Client Secret, and Authorization Endpoint correctly in your Coalesce SSO settings. If the problem persists, reach out to our Support Team.

Duplicate Accounts After SSO Setup

Seperate SSO Account Creation

The creation of a separate SSO account is expected behavior and does not affect your existing basic auth account's permissions.

When you first authenticate using SSO in Coalesce, the system creates a new SSO account separate from your existing basic authentication account. This new SSO account is automatically assigned Org Member permissions by default.

If you previously had admin permissions through your basic auth account, you'll need to update the permissions for your new SSO account. To do this:

  1. Log in using your basic authentication credentials.
  2. Update the permissions for your SSO account.
  3. If you don't have admin access, contact your organization's admin to update the permissions.

What's Next?