Skip to content

Single Sign-On (SSO) Setup with Google Workspace

This guide provides step-by-step instructions to configure Single Sign-On (SSO) with Google Workspace in Keystash. You will create a project and enable the respective APIs in the Google Cloud Console to obtain the Client ID and Client Secret required for SSO configuration.

Note

Single Sign-On is only available on the Business plan. Please upgrade your account if you wish to use this feature.

Configure Google Cloud Console

Go to the Google Cloud Console.

  1. Click on the Menu
  2. Then click on Cloud Overview and then click Dashboard

  3. Click on Create Project

    Screenshot

  4. Enter a project name, we suggest Keystash

  5. Click Create

    Screenshot

  6. Select the Project if it is not already selected.

  7. Click on Go to APIs overview or click on APIs & Services on the main menu and then click on OAuth consent screen

    Screenshot

  8. On the OAuth consent screen, select Internal

  9. Click Create

    Screenshot

  10. Enter Keystash into the App name field

  11. Select the User support email from the dropdown

  12. Upload the Keystash logo file from the Identity Provider Resources section below

    Screenshot

  13. Enter the Application home page URL from the Identity Provider Resources section below

  14. Enter the Privacy policy URL from the Identity Provider Resources section below
  15. Enter the Terms of service URL from the Identity Provider Resources section below
  16. Enter keystash.io into the Authorized domain 1 field
  17. Enter your email address into the Developer contact information field

  18. Click Save and Continue

    Screenshot

  19. On the next screen click Add or Remove Scopes

    Screenshot

  20. In the Add or Remove Scopes screen, tick the email and profile and openid scopes as shown in the picture below

  21. Click Update

    Screenshot

  22. Click Save and Continue

    Screenshot

  23. Click Credentials on the left menu

    Screenshot

  24. Click Create Credentials and then click OAuth client ID

    Screenshot

  25. Select Web application as the Application type

  26. Enter Keystash into the Name field
  27. Enter https://app.keystash.io/sso/callback into the Authorized redirect URIs field

  28. Click Create

    Screenshot

  29. Copy the Client ID and save it in a secure location. You will paste this into the Keystash SSO settings later

  30. Copy the Client secret and save it in a secure location. You will paste this into the Keystash SSO settings later

    Screenshot

Configure Keystash Single Sign-on Settings

  1. Navigate to Settings on the Keystash menu
  2. Click on Single Sign On (SSO) on the sub menu
  3. Toggle the Enable Single Sign On switch to activate SSO settings
  4. Select Google from the dropdown menu
  5. Enter in the Client ID you obtained from the Google Cloud Console above
  6. Enter in the Client Secret you obtained from the Google Cloud Console above
  7. The discovery URL will automatically be set for Google Workspace to: https://accounts.google.com/.well-known/openid-configuration
  8. Enter an Organisation ID for your organisation. This can be any string your decide, for example demo-example. Your users can use this ID to login to Keystash on the main Keystash login page. However, it is easier for your users to use the Login URL below. See Logging In for more information
  9. The Login URL field will be automatically created based on your Organisation ID. NB: You need to provide this URL to your users to login to Keystash with Google single sign-on

  10. If you would like Keystash to automatically create a user account for a new user who is attempting to login via Single Sign-on then toggle the Enable Auto User Provisioning switch to on

    • You will need to select a default Role that will be assigned to the new user account

    Screenshot

Identity Provider Resources

These are the required resources for configuring and verifying the SSO setup in Google Workspace. Copy and paste the following information into the respective fields in the Google Cloud Console.

  • Redirect URL: https://app.keystash.io/sso/callback

  • Keystash Application Homepage: https://www.keystash.io

  • Keystash Privacy Policy Link: https://www.keystash.io/privacy-policy.html

  • Keystash Terms of Service Link: https://www.keystash.io/terms-of-service.html

  • Keystash Logo Image: Click the Download button to download the Keystash logo image, which can be used in your Google Workspace configuration.

    Screenshot

Logging In

Keystash with Google Workspace allows three main ways to login:

  1. Using the Login URL. This is the URL that you can provide to your users to login to Keystash with Google single sign-on. This URL is automatically generated based on your Organisation ID. For example, https://demo-example.sso.keystash.io

  2. Using the Organisation ID. This allows your users to login to Keystash on the main Keystash login page. Users will click on the Single Sign-On button and enter the Organisation ID in the field provided. For example: demo-example

    Screenshot

    Screenshot

  3. Simply clicking on the Sign In With Google button on the Keystash login page. Google will detect that you are attempting to login with your Google Workspace account and provide Keystash with the correct authentication details

Additional Resources