SSO: Google Workspace

Written By Lauri Eurén

Last updated 3 days ago

Google SSO Setup in Operating

Operating supports Google-based authentication in two ways:

  1. Google Workspace SSO (Enterprise SSO via OAuth 2.0) – recommended for companies using Google Workspace

  2. Google Social Login – a simpler alternative managed fully inside Operating

This article explains both options and how SSO behaves in Operating.

How Google SSO Works in Operating (Important Concepts)

Before setting up Google SSO, it’s important to understand how authentication and user management work.

Access control is handled by Google

Once Google SSO is enabled:

  • Operating does not decide who can log in

  • Access is controlled by Google (Workspace configuration or Google account availability)

  • If a user is removed, disabled, or restricted in Google, they will no longer be able to log in to Operating

Google acts as the source of truth for authentication eligibility.

Users are provisioned just-in-time (JIT)

Operating uses just-in-time user provisioning for Google SSO:

  • User accounts are created automatically on first successful login

  • No manual user creation or syncing is required

  • This applies to both Google Workspace SSO and Google Social Login

Default permissions apply to new SSO users

When a new user logs in via Google SSO for the first time:

We recommend reviewing default permissions before rolling out SSO broadly. The best practice is to give users limited permissions to begin with.

Existing People are matched by email

If a Person already exists in Operating with the same email address as the Google account:

  • The newly created user account will automatically be linked to that Person

  • This preserves historical data such as allocations, time entries, and project history

To avoid duplicates, ensure email addresses in Google match those used in Operating.

Removing access in Google removes access to Operating

A user loses access to Operating automatically when:

  • Their Google account is disabled or deleted

  • They are no longer allowed to authenticate via your Google Workspace configuration

No additional action is required inside Operating.

Identity lifecycle is managed in Google

Google manages:

  • Passwords

  • MFA policies

  • Account suspension

  • Identity verification

Operating manages:

  • Application permissions

  • Resource, staffing, and operational data

Option 1: Google Workspace SSO (Enterprise SSO)

This option integrates your Google Workspace as an enterprise identity provider using OAuth 2.0.

Prerequisites

  • A Google Workspace domain

  • Admin access to Google Cloud Console

  • Admin access to Operating

Step 1: Review Auth0 Setup Instructions

Operating uses Auth0 for authentication.

Review the “Set up your app in Google” section in Auth0’s documentation:
https://auth0.com/docs/authenticate/identity-providers/enterprise-identity-providers/google-apps

Note: The OAuth 2.0 link in Auth0’s article points to an outdated Google document. Use the updated Google documentation below.

Step 2: Create an OAuth 2.0 Client in Google Cloud

Follow Google’s up-to-date instructions here:
https://support.google.com/cloud/answer/15549257

Create an OAuth 2.0 Client ID with the following settings.

Application type

  • Web application

Authorized JavaScript origins

https://auth.operating.app 
https://use.operating.app

Authorized redirect URIs

https://auth.operating.app/login/callback

Once created, Google will provide:

  • Client ID

  • Client Secret

Step 3: Send Configuration Details to support@operating.app

Send the following details to the Operating team:

  • Client ID

  • Client Secret

  • Your Google Workspace domain (e.g. company.com)

We will complete the configuration on our side.

Step 4: Admin login to finalize setup

After the SSO connection is configured:

  • A Google Workspace admin must log in to Operating once

  • This completes consent and finalizes the connection

After this, users can log in normally.

Option 2: Google Social Login

Google Social Login is a simpler alternative that does not require Google Workspace or domain-level configuration.

How it works

  • Operating enables Google Social Login

  • Username/password login is disabled

  • Users authenticate using their Google account

  • Users can be invited and managed directly in Operating

When to use this option

  • You want the fastest possible setup

  • You don’t need Google Workspace domain enforcement

  • You prefer to manage user access fully inside Operating

If you want to use Google Social Login, contact us and we’ll enable it for you.

Which option should I choose?

Use case

Recommended option

Corporate Google Workspace with domain control

Google Workspace SSO

Small teams or quick rollout

Google Social Login

IT-managed authentication

Google Workspace SSO

Operating-managed user access

Google Social Login

Need help?

If you’re unsure which option fits your setup or want help validating your configuration, contact us at support@operating.app and we’ll help you get set up.