Skip to content

Google Workspace SSO

Google Workspace SSO on RunWhen SaaS uses Auth0 as the broker. Your Google Cloud admin prepares an OAuth client; RunWhen support wires it into your Auth0 connection during SSO onboarding.

These steps happen in Google Cloud Console (not the Workspace Admin console). You need a project with permission to enable APIs and create OAuth credentials.

Before you start

ItemDetail
Redirect URIhttps://auth.runwhen.com/login/callback
Authorized JavaScript originhttps://auth.runwhen.com
What to send RunWhenOAuth client ID and client secret (via secure channel support provides)

Contact support@runwhen.com first if SSO onboarding has not started — RunWhen assigns your Auth0 connection name and confirms domain mapping.


Step 1 — Enable the Admin SDK API

  1. Open Google Cloud Console and select the project that will own the OAuth client (or create one).
  2. Go to APIs & Services → Library.
  3. Search for Admin SDK API and open the product page.
  4. Click Enable.

Admin SDK API product page in Google Cloud Console with the Enable button highlighted

Enable Admin SDK API — required for Workspace user identity via OAuth.

The Admin SDK lets Auth0 read Workspace user profile data during login. Without it, Google sign-in for Workspace domains may fail or return incomplete email claims.


Step 2 — Create an OAuth 2.0 client

  1. Go to APIs & Services → Credentials.

  2. Click Create credentials → OAuth client ID.

  3. If prompted, configure the OAuth consent screen for your Workspace domain (Internal is typical for employee-only SSO).

  4. Set Application type to Web application.

  5. Enter a name your team will recognize (for example RunWhen SSO).

  6. Under Authorized JavaScript origins, add:

    https://auth.runwhen.com

  7. Under Authorized redirect URIs, add:

    https://auth.runwhen.com/login/callback

  8. Click Create and copy the Client ID and Client secret.

OAuth client ID form showing Web application type, auth.runwhen.com origin, and login callback redirect URI

Web application client — both URIs must match exactly (no trailing slash on the callback path).

Do not point redirect URIs at app.runwhen.com. Browser SSO for RunWhen SaaS terminates at Auth0 first; Auth0 completes the flow back to the RunWhen app after authentication.


Step 3 — Send credentials to RunWhen

Email support@runwhen.com with:

  • Your Auth0 connection name (from onboarding), if already assigned
  • Google OAuth Client ID
  • Google OAuth Client secret
  • Workspace domains that should authenticate through this connection

RunWhen completes the Auth0 Google / Workspace connection and confirms when users can sign in via Enterprise SSO on the login page.


TopicLink
SSO overview (SaaS + self-hosted)Single Sign On
User provisioning after first loginUser Management