How to Set Up Google SSO

This guide shows you how to enable Sign in with Google for users of your AlloyScan site. The flow uses an OAuth 2.0 client created in Google Cloud. After setup, the AlloyScan sign-in page displays a Sign in with Google button and users authenticate against your Google Workspace or Google Cloud project.

Prerequisites

• You have the Administrator role on the AlloyScan site.
• You have a Google Cloud project where you can create OAuth 2.0 client credentials, and (if you want to restrict to your company) a Google Workspace domain.
• The SSO providers menu entry is visible at Admin Center > Site Settings > IAM > SSO providers. If the entry is missing, contact your vendor support to confirm that SSO providers are enabled for the deployment.
• Users who will sign in with Google already have Active user records on the site (their Email in IAM > Users matches the Google account email).

Steps

1. Note the AlloyScan redirect URI

Important: A redirect URI mismatch is the most common cause of SSO failure. Capture the URI exactly as AlloyScan presents it before you create the OAuth client on the Google side.

1. Navigate to Admin Center > Site Settings > IAM > SSO providers.
2. Open the Google row to reveal the configuration form.
3. Copy the Redirect URI value shown on the form. You will paste it into the Google OAuth client in the next step.

2. Create the OAuth client in Google Cloud

1. Sign in to the Google Cloud Console and select the project you want to use.
2. Go to APIs & Services > OAuth consent screen and configure the consent screen if you have not already:
   • Set the user type (Internal for a Google Workspace organisation, External otherwise).
   • Provide the app name, support email, and developer contact.
3. Go to APIs & Services > Credentials and click Create credentials > OAuth client ID.
4. Choose Web application as the application type and give it a name (for example, AlloyScan SSO — <site slug>).
5. Under Authorized redirect URIs, click Add URI and paste the Redirect URI you copied from AlloyScan in step 1.
6. Click Create.
7. Copy the Client ID and the Client secret displayed in the confirmation dialog.

3. Configure the provider in AlloyScan

1. Return to Admin Center > Site Settings > IAM > SSO providers in AlloyScan.
2. On the Google row, paste the values from Google Cloud:
   • Client ID
   • Client secret
3. Confirm that the Redirect URI on this form matches the one you authorised in the Google OAuth client.
4. Toggle Google to ON.
5. Click Save.

Verify

1. Open a private or incognito browser window and navigate to your AlloyScan site sign-in page.
2. Confirm that a Sign in with Google button is now displayed below the email and password fields.
3. Click the button and complete the Google sign-in. If your Workspace enforces 2-Step Verification, that step happens here.
4. After redirect back to AlloyScan, you should land on the site Dashboard.
5. Open Admin Center > Site Settings > Logs > Security log. The successful sign-in is recorded as a login event.

Note: If the user's email does not match an Active record in IAM > Users, the sign-in fails after the Google step. Add or activate the user in IAM > Users and retry.

Common pitfalls

• Redirect URI mismatch. The most common failure mode. The URI authorised on the Google OAuth client must match the URI shown on the AlloyScan provider form character-for-character, including trailing slashes.
• OAuth consent screen not published. A consent screen left in test or unpublished state restricts who can sign in.
• Workspace domain restriction. If you restricted the OAuth client to an internal Google Workspace user type, only users in that domain can sign in.

Related

• How to Set Up Microsoft SSO
• Authentication Reference
• About Authentication
• Troubleshooting Users and Sign-in