Skip to main content
Connecting Google Workspace lets your people sign in to Iru - and reach the apps you have assigned them - using the Google accounts they already have. Iru provides a Google Workspace template that pre-fills the standard configuration, so this is one of the quickest providers to connect.
Most organizations that use Iru Identity as their identity provider have people sign in directly with a passkey or the Iru Access app. Connect Google Workspace when you use Iru Identity as an authentication layer into the Iru platform rather than your primary identity provider, or to ease a migration onto Iru Identity. See Federated Authentication.
You need administrator access to your Iru tenant, and access to your Google Workspace administrator console, to complete this connection.

Before you begin

1

Confirm your sign-in domains

Note the email domains your people sign in with (for example, yourcompany.com). You can restrict the connection to these domains so only people in them use it.
2

Decide how Iru matches people

When someone signs in through Google, Iru matches them to a user in your directory. Decide which value to match on - typically the user’s email or username. See user matching.
3

Make sure your people exist in Iru

Sign-in through a connection resolves to an existing Iru user. Add or import your people first - see Importing users or Directory Sync.

Connect Google Workspace

Add the connection

In Access → Authentication, add an authentication method and choose the Google Workspace template. Using the template fills in the standard settings for you.

Authorize Iru with Google

Follow the prompts to authorize Iru against your Google Workspace organization, signing in with a Google super administrator account when asked and consenting to the standard sign-in scopes (openid, email, and profile). If your organization provides its own OAuth client, create it in the Google Cloud Console, add the redirect URI Iru shows for this connection, and copy its client ID and secret into Iru. Google’s console screens can change - follow Google’s current documentation if the prompts differ.

Choose what the connection is used for

Select the connection’s use cases - end-user sign-in, device enrollment, or both. Most setups enable end-user sign-in.

Restrict to your domains

If you want only people in specific email domains to use this connection, enable domain restrictions and add those domains.

Set user matching

Choose how Iru matches a Google sign-in to an Iru user - by UPN, username, external ID, or a custom attribute. Pick a value that is unique and stable for every person.

Save the connection

Save, then sign in as a test user whose email is in an allowed domain to confirm the hand-off to Google works end to end.
Test with a single user before rolling the connection out broadly. If sign-in fails to land on the right person, revisit your user matching choice - the matched value must be present and unique for everyone who uses the connection.

How sign-in works once connected

When someone signs in, Iru hands the sign-in off to Google, Google confirms the person, and Iru continues the session - then evaluates the app’s authentication policy before granting access. For the full picture, see System architecture.

Federated Authentication

Use cases, domain restrictions, and user matching, explained in one place.

Microsoft Entra ID

Connect Microsoft Entra ID for sign-in with its own template.

Sign-in experience

Shape what people see when they sign in.

Custom SAML

Connect a provider that is not covered by a template.