Federation · google-workspace
Google Workspace as a Hub federation member
Federate Hub to a Google Workspace tenant. Common at small-mid SaaS customers.
- google-workspace
- oidc
- idp
Tested against:hub: 1.0.0googleWorkspace: 2026 Q1
What this enables
Google Workspace users sign into your app through Hub. Hub federates to Google's OIDC; users land in your app with a normalised profile.
Prereqs
- Google Cloud project (any project works; Workspace tenant is implicit)
- Workspace admin access to OAuth consent screen + credentials
Step 1 — In Google Cloud
APIs & Services → Credentials → Create Credentials → OAuth Client ID → Web application. Configure:
| Field | Value |
|---|---|
| Application type | Web application |
| Authorized redirect URIs | https://hub.thoryn.org/login/oauth2/code/google |
Note the Client ID and Client Secret. Then on the OAuth consent screen, set:
- User type: Internal (workspace-only) or External (with verified domain)
- Scopes:
openid,email,profile
Step 2 — In Thoryn
id: google-workspace
name: "Google Workspace — your-domain.com"
type: oidc
issuer: https://accounts.google.com
client_id: ${GOOGLE_CLIENT_ID}
client_secret: ${GOOGLE_CLIENT_SECRET}
scopes:
- openid
- email
- profile
hosted_domain: your-domain.com # restrict to your Workspace
claim_mappings:
sub: sub
email: email
given_name: given_name
family_name: family_name
hd: hosted_domain # used to enforce hosted_domain matchStep 3 — Test
Login flow goes Hub → Google → consent screen → back. Verify the email ends in your Workspace domain — if hd doesn't match, Hub rejects the login.
Troubleshooting
- Personal Google accounts logging in: set
hd(hosted domain) in the federation-member YAML and Hub will reject anyone outside your Workspace. - Custom Workspace claims: Google doesn't expose group membership through OIDC. Use Google's Admin SDK + a webhook synchroniser (separate flow) to keep groups in sync.