Google as an Identity Provider

Single Sign On | SSO | IDP | Google | IAM | Identity & Access Management

Updated over a week ago

Powered by its Identity & Access Management platform Carerix offers multiple ways to setup Single Sign-On. It allows customers to configure various identity providers for user authentication. This article provides a step-by-step overview of the process of configuring Google as an identity provider for Carerix.

Setup of an OpenID Connect Application in OKTA and an Identity Provider in Carerix

Carerix and Google need to be configured in parallel so make sure you have administrator rights in both applications or have the people with these permission on the table when you start.

➕ 1. Create a new identity provider in Carerix

  1. Login to Carerix and in the maintenance menu section open the Identity Access menu.

  2. Open the Identity Provider Tab.

  3. Click on the 'Add Provider...' button on top of the overview. Select 'Google'.

  4. Fill out the 'Alias' field with a value of your choice. After saving the Identity Provider setup it is not possible to change this value.

  5. See the 'Redirect' URL is created on the fly. Copy this URL to your clipboard. We need it on the Google side later on.

  6. Select Active is YES

  7. Select Automatically Redirect is NO

  8. Choose a Display Name. Recommendation: 'Google'.

  9. Gsuite Domain: enter your Gsuite domain here.

  10. Now, do not close the Identity Provider configuration window. Leave the browser tab open and open a new one to start creating your Google Application.

➕ 2. Create a new Google Application

Login to your Google development console. This is where we are going to configure the Google API's for Carerix.

Click on the dropdown near the Google APIs or Google Cloud logo and select 'New Project':

Select project from Google Apis dashboard

Now click on 'New Project':

Create new project on Google Apis

In the new project screen choose a project name, select the applicable organization and click on 'Create':

Choose name and organization

You will be redirected to a page similar to the one in the following screenshot. Scroll down to the 'Getting Started' section and click on 'Explore and Enable APIs':

Project dashboard Google Api

On the following page click on 'Credentials' in the left side menu:

Click on Credentials

The Google Developers Console reminds you about the fact that we need to Configure the consent screen. This is mandatory for our integration and it basically configures what your users get to see when we redirect them to Google for signing in. Click on this button:

Configure consent screen

As identity providers only work with pre-configured users in Carerix (and you probably do not want external people able to use your SSO) select 'Internal'. If - for any reason - you want to allow any Google account to sign in to you application select 'External'.

OAuth consent screen

On the next page there are a lot of settings to be defined. Do so as follows:

  • App name: Any name you would like to give to this Google Application. But as you are using it as an Identity Provider for Carerix we would recommend to call it Carerix.

  • User support email: pick the appropriate address from the list

  • App logo: Optional. Upload your organisations logo to be displayed in the Google consent screen.

  • Application homepage:

  • Application Homepage link: this is the URL of your Carerix application (

  • Application Privacy Policy link:

  • Authorized domains: click on 'Add Domain' and add both and

  • Developer contact information: your email address (or from the one that will be maintaining this Google application.

When done you can click on save. You have successfully created a Google Application which can be used as an Identity Provider.

🔐 3. Create credentials for your Google Application

Now we have to generate the credentials that are needed in Carerix to authenticate with your Google Application. To do so click again on the 'Credentials' menu on the left:

Click on Credentials

Click on 'Create Credentials':

Create credentials

Then on 'OAuth client ID':

Create OAuth client ID

Now select 'Web Application' as the type of your application, add a name for your application (optional) and into the Authorized redirect URIs field you should add the URL you saved earlier. Then click on 'Create':

You now have successfully created a ClientID and Client secret. Both should be copied and brought to the Carerix IDP.

🏁 4. Finalize Identity Provider configuration in Carerix.

Now we return to the Carerix application, more specifically to the configuration of the Identity Provider we started in step 1. You now have the Client Secret and Client ID from your Google application. Copy/Paste them into the respective fields in Carerix.

Fill in the Client ID and Client Secret

Explanation of the Identity Provider fields for Google in Carerix:

  • Alias - is a mandatory field which cannot be altered after saving it for the first time. It will be used in the redirect URL. Changing the alias later on would mean a new redirect URL hence a change on the Google configuration too. What alias you choose is free. We would suggest something like 'goolesso'.

  • Active - defines whether this Identity Provider will be available for users to login to Carerix.

  • Automatically redirect - indicates whether visitors of are being redirected to the Google login page immediately and automatically (YES) or not (NO). Note: be advised to leave this option off until you have tested your configuration working properly. The value for this setting can be changed any time.

  • Display Name - defines the button label used on the login screen of Carerix for this Identity Provider. It can be changed afterwards anytime.

  • GSuite domain - your Gsuite domain name

  • Client id - use the client ID as generated in your Google application.

  • Client secret - use the client secret as generated in your Google application. Note: if you use copy/paste: check if you do not accidentally copy an extra space. This would mean an invalid client secret and result in not functioning identity provider.

  • Redirect URL - Will be generated after filling out the alias field and is needed in the setup of your Google Application.

📛 5. Adjust user names in Carerix

To be able to successfully use Microsoft Azure Active Directory as an identity provider in Carerix it is necessary to make sure that all usernames in Carerix are equal to the email addresses of those users registered in your Google domain.

Did this answer your question?