> ## Documentation Index
> Fetch the complete documentation index at: https://docs.getcollate.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Google SSO Configuration Guide | Confidential Client Setup

> Comprehensive guide to setting up Google SSO for confidential clients using OIDC. Includes client secret configuration, secure token handling, and advanced security options.

## Google SSO Configuration - Confidential Client

* [Troubleshooting](#troubleshooting)

This configuration is required for web applications and backend services that can securely store client credentials.

## Overview

Collate supports Single Sign-On (SSO) integration with various identity providers, enabling secure, centralized user authentication.

* **Navigate to:** `Settings > SSO`

<img src="https://mintcdn.com/collatedocs/-DMyLKbnTY6RpJyT/public/images/deployment/security/google/sso1.png?fit=max&auto=format&n=-DMyLKbnTY6RpJyT&q=85&s=ffcbc0c14e8f1c912b978e6b0a6f3692" alt="SSO Authentication" width="1438" height="672" data-path="public/images/deployment/security/google/sso1.png" />

* Select the service provider.

<img src="https://mintcdn.com/collatedocs/-DMyLKbnTY6RpJyT/public/images/deployment/security/google/sso2.png?fit=max&auto=format&n=-DMyLKbnTY6RpJyT&q=85&s=a534cdd6107cf831390060ed68d467f2" alt="Supported Providers" width="1438" height="679" data-path="public/images/deployment/security/google/sso2.png" />

Click Configure to set up Single Sign-On (SSO). After completing the configuration, click Save to apply the changes.

<img src="https://mintcdn.com/collatedocs/-DMyLKbnTY6RpJyT/public/images/deployment/security/google/google2.png?fit=max&auto=format&n=-DMyLKbnTY6RpJyT&q=85&s=abb8f1d25d6b72746d4318219687f03f" alt="Google SSO Configuration - Confidential Client" width="1438" height="672" data-path="public/images/deployment/security/google/google2.png" />

## Configuration Fields

This section contains the form fields that must be completed when setting up Single Sign-On (SSO).

### Enable Self Signup

* **Definition:** Allows users to automatically create accounts on first login.
* **Options:** `Enabled` | `Disabled`
* **Example:** `Enabled`
* **Why it matters:** Controls whether new users are auto-created.
* **Note:** Set to `Disabled` for stricter access control.

### Authority

* **Definition:** Google’s OAuth 2.0 authorization server.
* **Default & Example:** `https://accounts.google.com`
* **Why it matters:** Specifies where Collate should send auth requests.
* **Note:** Usually does not need to be changed.

### Public Key URLs

* **Definition:** URL(s) where Google publishes its JWT signing keys.
* **Example:** `["https://www.googleapis.com/oauth2/v3/certs"]`
* **Why it matters:** Required to verify JWT token signatures.
* **Note:** Typically auto-discovered via OIDC discovery endpoint.

### Token Validation Algorithm

* **Definition:** Algorithm used to validate JWT tokens.
* **Options:** `RS256` | `RS384` | `RS512`
* **Default & Example:** `RS256`
* **Why it matters:** Must match Google’s signing algorithm.
* **Note:** Google typically uses `RS256`.

### OIDC Client ID

* **Definition:** OAuth 2.0 Client ID from Google Cloud Console.
* **Example:**
  `123456789012-abcdefghijklmnopqrstuvwxyz123456.apps.googleusercontent.com`
* **Why it matters:** Uniquely identifies the app in the OIDC flow.

### OIDC Client Secret

* **Definition:** Confidential key used to authenticate the app with Google.
* **Example:** `GOCSPX-abcdefghijklmnopqrstuvwxyz123456`
* **Why it matters:** Required for token exchange.
* **Note:**
  * Found in Google Cloud Console > Credentials.
  * Store securely and rotate periodically.

### OIDC Request Scopes

* **Definition:** Permissions to request from Google during login.
* **Default:** openid email profile
* **Example:**
  `openid email profile https://www.googleapis.com/auth/userinfo.email`
* **Why it matters:** Determines what user information is accessible.

### OIDC Discovery URI

* **Definition:** Google OIDC metadata URL.
* **Example:** `https://accounts.google.com/.well-known/openid-configuration`
* **Why it matters:** Enables Collate to auto-discover endpoints.

### OIDC Use Nonce

* **Definition:** Prevents replay attacks.
* **Default & Example:** `true`
* **Why it matters:** Enhances session-level security.

### OIDC Preferred JWS Algorithm

* **Default & Example:** `RS256`
* **Why it matters:** Must match Google's token signing algorithm.

### OIDC Response Type

* **Definition:** Type of OAuth response expected.

Options: id\_token | code

* **Default & Example:** `code`
* **Why it matters:** Defines OAuth flow; code is more secure.

### OIDC Disable PKCE

* **Definition:** Disables Proof Key for Code Exchange.
* **Default & Example:** `false`
* **Why it matters:** PKCE adds protection to authorization code flow.

### OIDC Max Clock Skew

* **Definition:** Allowed time difference between systems.
* **Example:** `0`
* **Why it matters:** Prevents token validation issues due to clock drift.

### OIDC Client Authentication Method

* **Options:** client\_secret\_basic, client\_secret\_post, client\_secret\_jwt, private\_key\_jwt
* **Default & Example:** `client_secret_basic`
* **Why it matters:** Defines how the client secret is passed to Google.

### OIDC Token Validity

* **Default:** 0 (use provider default)
* **Example:** `3600 (1 hour)`
* **Why it matters:** Sets how long a token is valid.

### OIDC Callback URL

* **Definition:** Redirect URL where Google sends authentication responses.
* **Example:** `https://yourapp.company.com/callback`
* **Why it matters:** Must match exactly with Google Cloud Console’s registered redirect URL.
* **Note:**
  * Must be registered under **OAuth 2.0 Client > Authorized Redirect URLs**.
  * Always use **HTTPS** in production.

### OIDC Max Age

* **Definition:** Maximum age of authentication before re-auth is required.
* **Example:** `3600`
* **Why it matters:** Controls session longevity.

### OIDC Prompt

* **Options:**  none, login, consent, select\_account
* **Example:** `select_account`
* **Why it matters:** Adjusts user experience during login.
* **Note:**
  * login: Always prompt credentials.
  * consent: Ask user for permission.
  * select\_account: Display account picker.
  * none: Attempt silent login (may fail if not authenticated).

### OIDC Session Expiry

* **Default:** 604800 (7 days)
* **Example:** `604800`
* **Why it matters:** Defines how long the user stays logged in.

### JWT Principal Claims Mapping

**Definition:** Maps JSON Web Token (JWT) claims to Collate user profile fields.

**Supported keys:** Only `email` and `username` are valid mapping targets in `jwtPrincipalClaimsMapping`.

**Example:**

```yaml theme={null}
["email:email", "username:preferred_username"]
```

**Why it matters:** Controls how SSO login data maps to user profiles in Collate.

**Format:** `collate_field:jwt_claim` (for example, `"email:email"`).

<Note>
  **Note:** The display name is derived automatically from standard OIDC/JWT claims — you don't need to configure it using `jwtPrincipalClaimsMapping`.
</Note>

If you need richer name handling, make sure Google Workspace is configured to include `given_name` and `family_name` as claims in the ID token — Collate will pick them up automatically.

<Warning>
  **Important:** Using any other key (for example, `name` or `firstName`) will cause the service to fail on startup with a validation error.
</Warning>

### Admin Principals

* **Definition:** List of email addresses with admin access.
* **Example:** `["admin@company.com", "superuser@company.com"]`
* **Why it matters:** Grants admin-level privileges in the system.
* **Note:** Email must match a JWT claim.

### Principal Domain

* **Definition:** Default domain for constructing user emails.
* **Example:** `company.com`
* **Why it matters:** Helps form complete user identifiers from partial input.
* **Note:** Matches your Google Workspace domain.

### Enforce Principal Domain

* **Definition:** Restrict login to users from a specific domain.
* **Default:** false
* **Example:** `true`
* **Why it matters:** Adds domain-level access control.
* **Note:** Use with hd parameter in custom OIDC config.

### Enable Secure Socket Connection

* **Definition:** Enables SSL/TLS for secure communications.
* **Default:** false
* **Example:** `true`
* **Why it matters:** Ensures secure token exchange and communication.
* **Note:** Must be true in production.

### Troubleshooting

If users are automatically logged out and unable to log in again due to a bad authentication configuration, you can reset the security setup using the following command:

```

./bootstrap/openmetadata-ops.sh remove-security-config --force

```

After executing the command, **restart the server**. The authentication values from your YAML or Helm chart will then be reapplied on startup. The following tiles detail how to apply this configuration:

<CardGroup cols={2}>
  <Card title="Docker Security" href="/deployment/docker/security">
    Configure Auth0 SSO to access the UI and APIs.
  </Card>

  <Card title="Bare Metal Security" href="/deployment/bare-metal/security">
    Configure Azure SSO to access the UI and APIs.
  </Card>

  <Card title="Kubernetes Security" href="/deployment/kubernetes/security">
    Configure a custom OIDC SSO to access the UI and APIs.
  </Card>

  <Card title="Google SSO" href="/how-to-guides/sso/google">
    Configure Google SSO to access the UI and APIs.
  </Card>

  <Card title="Okta SSO" href="/how-to-guides/sso/okta">
    Configure Okta SSO to access the UI and APIs.
  </Card>

  <Card title="Amazon Cognito SSO" href="/how-to-guides/sso/amazon-cognito">
    Configure Amazon Cognito SSO to access the UI and APIs.
  </Card>

  <Card title="SAML" href="/how-to-guides/sso/saml">
    Configure SAML SSO to access the UI and APIs.
  </Card>

  <Card title="LDAP" href="/how-to-guides/sso/ldap">
    Configure LDAP SSO to access the UI and APIs.
  </Card>
</CardGroup>
