Docs/Single sign-on

Google Workspace

~10 minutes

Sign in with Google accounts from your Workspace domain. Configure an OAuth 2.0 client in Google Cloud Console and Wando handles the rest via standard OIDC discovery.

Before you start

A Google Cloud project (one per Workspace domain is fine).
Owner or Editor on the project, plus access to the Workspace admin console for domain verification.
Your Wando contact on standby to receive the credentials at the end.

Steps

1
Open Google Cloud Console → APIs & Services
Go to console.cloud.google.com, pick (or create) the project that represents your Workspace, then open "APIs & Services" → "Credentials" from the left menu.
2
Configure the OAuth consent screen
If you have not done this yet, the Credentials page will prompt you to. Choose "Internal" as the user type (so only people in your Workspace see the consent screen). Fill in the app name "Wando", a support email, your homepage, and add your domain to "Authorized domains". Add the scopes "openid", "email" and "profile". Save and continue.
"Internal" hides the app from outside accounts and skips Google's app verification process. If you need to sign in users outside your Workspace, pick "External" — verification may be required.
3
Create an OAuth 2.0 client ID
Back on the Credentials page, click "Create Credentials" → "OAuth client ID". Choose application type "Web application" and give it a name like "Wando".
4
Add the Wando redirect URI
Under "Authorized redirect URIs", click "+ Add URI" and paste the URL below. The value must match Wando's callback URL exactly (scheme, host, no trailing slash). Click "Create".
```
https://www.wando.tromb.com/api/auth/callback/<your-provider-id>
```
Replace `<your-provider-id>` with the slug you will use in Wando (e.g. "google-acme").
5
Copy the Client ID and Client secret
The dialog after creation shows both — copy them somewhere safe. You can return to the same client later via "Credentials" → your client name.
6
Note the Google OIDC issuer URL
Google's OIDC discovery endpoint is the same for every Workspace; Wando uses it to find the rest of the configuration:
```
https://accounts.google.com
```
Wando appends `/.well-known/openid-configuration` automatically when discovering endpoints.

Hand off to Wando

Send your values to your Wando contact

hej@wando.app

Send the values below to your Wando contact. They will wire them into your organisation's SSO config and confirm when Google sign-in is live for your team.

Suggested provider ID: google-<short-org-name>
Issuer URL: https://accounts.google.com
Email domain: acme.com (your Workspace primary domain)
Client ID: OAuth client ID from step 5
Client secret: OAuth client secret from step 5

Steps

Open Google Cloud Console → APIs & Services

Go to console.cloud.google.com, pick (or create) the project that represents your Workspace, then open "APIs & Services" → "Credentials" from the left menu.

Configure the OAuth consent screen

If you have not done this yet, the Credentials page will prompt you to. Choose "Internal" as the user type (so only people in your Workspace see the consent screen). Fill in the app name "Wando", a support email, your homepage, and add your domain to "Authorized domains". Add the scopes "openid", "email" and "profile". Save and continue.

"Internal" hides the app from outside accounts and skips Google's app verification process. If you need to sign in users outside your Workspace, pick "External" — verification may be required.

Create an OAuth 2.0 client ID

Back on the Credentials page, click "Create Credentials" → "OAuth client ID". Choose application type "Web application" and give it a name like "Wando".

Add the Wando redirect URI

Under "Authorized redirect URIs", click "+ Add URI" and paste the URL below. The value must match Wando's callback URL exactly (scheme, host, no trailing slash). Click "Create".

https://www.wando.tromb.com/api/auth/callback/<your-provider-id>

Replace `<your-provider-id>` with the slug you will use in Wando (e.g. "google-acme").

Copy the Client ID and Client secret

The dialog after creation shows both — copy them somewhere safe. You can return to the same client later via "Credentials" → your client name.

Note the Google OIDC issuer URL

Google's OIDC discovery endpoint is the same for every Workspace; Wando uses it to find the rest of the configuration:

https://accounts.google.com

Wando appends `/.well-known/openid-configuration` automatically when discovering endpoints.