Sign in to ComplianceScout with Google Workspace.
Google's OIDC tokens cannot carry group membership. If you need to map Google groups to ComplianceScout roles, use the custom SAML app procedure at the bottom of this page instead.
Copy these from ComplianceScout → Settings → SSO when you create the connection. The exact, per-connection values are shown there.
https://<your-app-host>/sso/oidc/callback/<connectionId>Copy the exact value shown in ComplianceScout → Settings → SSO when you create the connection. Do not hand-type it — most IdPs require an exact match (case and trailing slash included).
Steps verified against the vendor documentation linked at the bottom of this page. Labels can change — that link is the source of truth.
Sign in to the Google Cloud Console (console.cloud.google.com) with a project-admin account, and select or create the Google Cloud project that will own the credential.
Configure the consent screen first: APIs & Services → OAuth consent screen (now branded Google Auth Platform → Branding). Set User type = Internal to restrict sign-in to your Workspace org, fill in the app name and support email, and save. You cannot create a client until this is done.
Go to Google Auth Platform → Clients (equivalently APIs & Services → Credentials) and click Create client (older UI: Create credentials → OAuth client ID).
Set Application type = Web application and give it a name.
Under Authorized redirect URIs, click + Add URI and paste the Redirect URI exactly as shown in ComplianceScout → Settings → SSO. It must be https and match exactly. Click Create.
Copy the Client ID and Client secret from the dialog.
Back in Settings → SSO, paste these into the connection and save.
https://accounts.google.comGoogle's fixed OIDC issuer.
<client-id><client-secret>Enforce 2-Step Verification in the Google Admin console. Google does not emit a standard amr=mfa claim for all flows, so verify MFA pass-through against a real sign-in before relying on "Trust IdP for MFA".
Because Google's OIDC tokens cannot carry group membership, the common enterprise pattern when you want Google groups → ComplianceScout roles is a custom SAML app in the Google Admin console. Configure ComplianceScout's connection as SAML for this path.
Sign in to the Google Admin console (admin.google.com) as a super admin.
Go to Menu → Apps → Web and mobile apps, and click Add app → Add custom SAML app.
Enter an App name (for example, ComplianceScout) and click Continue.
On the Google Identity Provider details page, click Download metadata (or copy the SSO URL and Entity ID and download the Certificate). Provide these to ComplianceScout's SAML connection. Click Continue.
On Service provider details, enter the ACS URL and Entity ID that ComplianceScout shows for its SAML connection, and leave Name ID = Basic Information > Primary email (Name ID format = EMAIL). Click Continue.
On Attribute mapping, use Group membership to send the user's groups as the attribute name ComplianceScout reads, then click Finish.
Select the app → User access → On for everyone (or scope to an OU/group) → Save. Changes can take up to ~24 hours to propagate.
Configure the connection in Settings → SSO, then test sign-in before rolling it out to your team.