---
title: "Configuring Google Workspace for Verax"
slug: "google-workspace-idp"
updated: 2026-03-12T16:10:37Z
published: 2026-03-12T16:10:37Z
---

> ## Documentation Index
> Fetch the complete documentation index at: https://docs.verax.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Configuring Google Workspace for Verax

### 

Follow the steps below to configure Google Workspace for integration with Verax.

This setup includes:

- An OIDC application for authentication
- A Service Account with Domain-Wide Delegation for directory access

### Before You Begin

Ensure you have:

- Google Workspace Admin access
- Access to Google Cloud Console
- Permission to enable APIs and manage OAuth credentials

---

## Part 1: Configure the OIDC Application

### Step 1: Enable the Admin SDK API

Verax requires access to Google Directory data.

1. Open the Google Cloud Console.
2. Navigate to **APIs & Services > Library**.
3. Search for **Admin SDK API**.
4. Click **Enable**.

Important: If this API is not enabled, directory scopes will not appear later.This allows Verax to authenticate users via Google Workspace.

### 

### 

### Step 2: Configure the OAuth Consent Screen

This defines your application identity and limits access to internal users.

#### A. Branding

1. Go to **APIs & Services > OAuth consent screen**.
2. Click **Get Started** or **Edit App**.
3. Set:
  - App name: `Verax`
  - User support email: your admin email
  - Developer contact email: your email
4. (Optional) Upload a logo.
5. Click **Save and Continue**.

#### B. Audience

1. Select **Internal** as User Type. This ensures only users in your Workspace can authenticate.
2. Click **Save and Continue**.

#### C. Data Access (Scopes)

1. Click **Add or Remove Scopes**.
2. Add the following scopes:

For OIDC Identity:

- `openid`
- `https://www.googleapis.com/auth/userinfo.email`
- `https://www.googleapis.com/auth/userinfo.profile`

For Groups:

- `https://www.googleapis.com/auth/admin.directory.group.readonly`

1. Click **Update**.
2. Click **Save and Continue**.

If directory scopes are not visible, confirm that the Admin SDK API is enabled.

### Step 3: Create the OAuth Client

1. Navigate to **APIs & Services > Credentials**.
2. Click **Create Credentials > OAuth Client ID**.
3. Select **Web application**.
4. Name the client (e.g., `Verax`).
5. Under **Authorized Redirect URIs**, add:

`https://internal.verax.ai/oidc/callback`

1. Click **Create**.
2. Save the generated:
  - Client ID
  - Client Secret

These values will be entered into Verax.

### 

---

## Part 2: Configure the Service Account

This allows Verax to read user and group directory data.

### Step 1: Create the Service Account

1. In Google Cloud Console, go to **IAM & Admin > Service Accounts**.
2. Click **Create Service Account**.
3. Name it (e.g., `verax-service`).
4. Click **Create and Continue**.
5. Click **Done** (no IAM roles needed at this stage).

Copy the **Unique ID (OAuth 2 Client ID)** of the service account. You will need this later.

### Step 2: Generate the Private Key

1. Click the service account email.
2. Go to the **Keys** tab.
3. Click **Add Key > Create new key**.
4. Select **JSON**.
5. Click **Create**.

A `.json` file will download.

This file contains the private key required for service authentication. Store it securely.

### 

### Step 3: Enable Domain-Wide Delegation

Permissions must be granted in the Google Workspace Admin Console.

1. Open the **Google Admin Console**.
2. Navigate to:

Security > Access and data control > API controls

1. Click **Manage Domain Wide Delegation**.
2. Click **Add new**.
3. Enter:

Client ID: Paste the Service Account Unique ID from Step 1.

OAuth Scopes: Paste the following (as-is):

```plaintext
https://www.googleapis.com/auth/admin.directory.user.readonly,
https://www.googleapis.com/auth/admin.directory.group.readonly
```

1. Click **Authorize**.

## 

---

## Admin Impersonation Requirement

To perform directory lookups, Verax must impersonate a Google Workspace admin account with sufficient privileges to read users and groups.

### Recommended Approach

Create a dedicated service admin account (for example, `verax-svc-auth-manager@mydomain.com`) and assign it only the required read-only directory roles.

This ensures:

- Clear audit separation between automated system actions and human administrator activity
- Improved audit log clarity in Google Admin logs

### Alternative

You may provide an existing admin account with sufficient read privileges. However, this may reduce audit transparency.

---

## Completion

Once completed, provide Verax with:

- OAuth Client ID
- OAuth Client Secret
- Service Account JSON file
- Admin Email to Impersonate (a Google Workspace admin account with read-only directory privileges)

Verax will now be able to:

- Authenticate users via OIDC
- Retrieve user and group directory data