Skip to content
Mainbranch

Google Workspace SSO

This guide covers how to configure Single Sign-On (SSO) using Google Workspace for your Mainbranch workspace.

Overview

Section titled “Overview”

Google Workspace SSO enables your users to sign in to Mainbranch using their Google Workspace accounts. This provides:

  • Seamless sign-in experience
  • Centralized authentication
  • Automatic access management
  • Support for Google’s MFA policies

Prerequisites

Section titled “Prerequisites”

Before configuring SSO:

  • Admin access to Mainbranch
  • Google Workspace admin access
  • Access to Google Cloud Console

Configuration Steps

Section titled “Configuration Steps”

  1. Create OAuth Client in Google Cloud

    Access the Google Cloud Console and create an OAuth 2.0 client for Mainbranch.

  2. Configure Redirect URI

    Add the Mainbranch redirect URI to your OAuth client configuration. The URI is provided in your Mainbranch admin console.

  3. Obtain Credentials

    Copy the Client ID and Client Secret from Google Cloud.

  4. Enter Credentials in Mainbranch

    Go to Workspace settings > Setup > Authentication and enter:

    • Client ID
    • Client Secret

  5. Configure Domain

    Specify your organization’s Google Workspace domain.

  6. Test the Connection

    Test SSO by signing out and signing back in with Google.

Google Cloud Console Setup

Section titled “Google Cloud Console Setup”

Creating the OAuth Client

Section titled “Creating the OAuth Client”
  1. Go to Google Cloud Console
  2. Select your project (or create a new one)
  3. Navigate to APIs & Services > Credentials
  4. Click Create Credentials > OAuth client ID
  5. Select Web application
  6. Add the Mainbranch redirect URI
  7. Save and copy the credentials

Required Scopes

Section titled “Required Scopes”

Mainbranch requires these OAuth scopes:

  • openid — Basic authentication
  • email — User email address
  • profile — User profile information

Domain Configuration

Section titled “Domain Configuration”

Single Domain

Section titled “Single Domain”

For organizations with one Google Workspace domain:

  1. Enter your domain (e.g., yourcompany.com)
  2. Only users from this domain can sign in

Multiple Domains

Section titled “Multiple Domains”

If your organization uses multiple domains:

  • Contact support for multi-domain configuration
  • Each domain may require separate setup

User Access and Provisioning

Section titled “User Access and Provisioning”

Automatic Provisioning

Section titled “Automatic Provisioning”

When SSO is configured:

  • Users signing in for the first time are automatically added
  • No manual invitation required
  • Users inherit default member role

Controlling Access

Section titled “Controlling Access”

To limit who can access Mainbranch:

  • Use Google Workspace group restrictions
  • Configure Mainbranch to require invitations
  • Remove users who should not have access

Managing SSO Configuration

Section titled “Managing SSO Configuration”

Updating Credentials

Section titled “Updating Credentials”

If you need to update OAuth credentials:

  1. Generate new credentials in Google Cloud
  2. Update in Mainbranch admin console
  3. Old credentials are invalidated immediately

Disabling SSO

Section titled “Disabling SSO”

To disable SSO:

  1. Go to authentication settings
  2. Disable Google SSO
  3. Users will need alternative sign-in method

Security Considerations

Section titled “Security Considerations”

Best Practices

Section titled “Best Practices”
  • Restrict OAuth client to your domain
  • Enable Google’s advanced security features
  • Monitor authentication logs
  • Rotate credentials periodically

MFA Support

Section titled “MFA Support”

Google Workspace MFA is supported:

  • Users with MFA enabled will complete MFA during sign-in
  • Mainbranch respects Google’s MFA policies
  • No additional Mainbranch MFA configuration required

Troubleshooting

Section titled “Troubleshooting”

”Invalid Client” Error

Section titled “”Invalid Client” Error”
  • Verify Client ID is correct
  • Check that the OAuth client exists
  • Ensure credentials are not expired

Redirect URI Mismatch

Section titled “Redirect URI Mismatch”
  • Verify redirect URI matches exactly
  • Check for trailing slashes
  • Ensure HTTPS is used

Domain Not Allowed

Section titled “Domain Not Allowed”
  • Verify domain configuration
  • Check user’s email domain
  • Ensure domain is verified in Google Workspace

Users Cannot Sign In

Section titled “Users Cannot Sign In”
  • Verify SSO is properly configured
  • Check user’s Google account status
  • Review authentication logs

Best Practices

Section titled “Best Practices”

Setup

Section titled “Setup”
  • Test with a non-admin account first
  • Document your configuration
  • Have a backup authentication method

Maintenance

Section titled “Maintenance”
  • Review OAuth client settings periodically
  • Monitor for authentication issues
  • Keep Google Cloud project organized

Security

Section titled “Security”
  • Use dedicated OAuth client for Mainbranch
  • Don’t share credentials
  • Enable Google’s security alerts

Next Steps

Section titled “Next Steps”