OIDC with Workspace

Introduction

OpenID Connect OIDC is an identity protocol built on top of OAuth 2.0 that enables secure authentication and authorization for web and mobile applications. It allows users to log in securely to various services while service providers can simultaneously access verified identity information.

This guide explains the step-by-step configuration of OIDC in Relution using Google Workspace as an example.

Project and Client Setup (Google Cloud Console)

First, an application must be registered in the Google Cloud Console to obtain the necessary credentials.

  1. Log in at console.cloud.google.com.

  2. Create a new project or select an existing one. Google Cloud Console project selector showing existing projects and new project option

    Google Cloud Console showing newly created project selected for OIDC configuration

  3. In the navigation menu, go to APIs & Services > OAuth consent screen and configure it if necessary. Google Cloud Console APIs and Services OAuth consent screen configuration page

  4. Navigate to Credentials, click the Create Credentials button, and select OAuth client ID. Google Cloud Console Credentials page with Create Credentials button and OAuth client ID option

  5. For Application type, select Web application. Google Cloud Console OAuth client type selection with Web application chosen

  6. Under Authorized JavaScript origins, enter your server URL (e.g., https://support.relution.io). Note: Leave the Authorized redirect URIs field open for now; it will be updated later with specific data from Relution. Google OAuth client configuration with authorized JavaScript origin and empty redirect URI field

  7. Copy the Client ID displayed after saving. Google OAuth client confirmation screen displaying Client ID to copy for Relution

  8. Edit your newly created client to view the details. Google Cloud Console OAuth client details page showing edit option to view credentials

  9. Copy the Client Secret. Keep both the ID and Secret secure for later use in Relution. Google OAuth client secret value displayed for copying to Relution OIDC configuration

SSO Setup (Google Admin Console)

In parallel, the Single Sign-On (SSO) profile must be stored in the Google Admin Console.

  1. Navigate to admin.google.com.

  2. Create a new OIDC profile under Security > Authentication > SSO with third-party IdP. Google Admin Console Security Authentication SSO with third-party IdP OIDC profile creation

  3. Enter the Client ID and Client Secret obtained in the previous steps.

    • For the Issuer URL and Change password URL, use your Relution server URL (e.g., https://support.relution.io). Google Admin Console OIDC profile form with Client ID, Client Secret and Issuer URL fields

OIDC Configuration in Relution

Now, the collected data is entered into Relution to establish the connection with Google.

  1. Open the OIDC settings in Relution under Settings → OpenID Connect. Relution Settings OpenID Connect configuration page showing Client ID and Secret fields

  2. Re-enter the Client ID and Client Secret here.

  3. Under Server URIs > Discovery Endpoint, you must use https://accounts.google.com.

  4. Save the configuration and then open it again to see the generated fields.

  5. Copy the Redirect URL provided by Relution. Relution OIDC configuration showing generated Redirect URL to copy for Google OAuth client

  6. Return to console.cloud.google.com.

  7. Update the Authorized redirect URIs with the Redirect URL you just copied from Relution. Google OAuth client authorized redirect URIs field with Relution redirect URL entered

    Relution OIDC configuration showing generated Redirect URL to copy for Google OAuth client

Notes

Backchannel Logout

Relution supports Backchannel Logout starting with server version 5.32.0.

Example Scenario: A user is simultaneously logged into multiple applications via SSO. When logging out of the SSO service, Backchannel Logout ensures that sessions in all other applications are also terminated, even if they are running in the background.