Setting up Single Sign-On (SSO) with Google (OIDC)

This guide walks you through configuring Google as your OpenID Connect (OIDC) identity provider so your team can log into Clockk using their Google Workspace accounts.

1. Log in to Google Cloud Console

Go to https://console.cloud.google.com and sign in with an administrator account that can configure OAuth and credentials for your organization.

2. Create or select a Google Cloud project

  • Create a new project dedicated to SSO/integrations. In our own testing, we created a new Clockk OIDC SSO project.
  • Switch to the new project.
  • Click “Get started”

Alternatively, you can use an existing Google Cloud project. This documentation describes how to set up SSO using a new project rather than an existing one. If you prefer to use an existing project, we will assume you are already familiar with the Google Cloud interface and can infer the specific steps you need to take.

3. Configure the Project (OAuth Consent Screen)

  1. Under App Information:
    • App name: Clockk
    • Support email: (someone at your company who will support this integration)
  2. Under Audience:
    • Choose Internal
  3. Contact information:
    • Your email address
  4. Finish:
    • Agree to the terms

4. Configure project branding

At this point you’ve created the basic project, but you should do more to make Clockk recognizable and usable for your users.

  1. Under Branding:
    • App information is already set.
    • App logo: Upload the Clockk logo; you can download our logo at https://clockk.com/brand.
    • App domain: Application homepage is https://clockk.com. Privacy policy link is https://clockk.com/privacy-policy. Terms of service link is https://clockk.com/license-agreement.
    • Authorized domains: clockk.com

5. Create OAuth 2.0 client credentials

  1. Under Clients:
    • Click + Create client
    • Application type: Web application.
    • Name: Clockk
    • Authorized JavaScript origins: Enter https://app.clockk.com and https://clockk.com. Optionally add https://«yourbrand».clockk.com for our no-password-easy login feature (see below).
    • Authorized redirect URIs: Enter https://ca-central.api.clockk.com/integration/google/install
    • Click Create to obtain your Client ID and Client Secret.

⚠️ Copy the Client ID and Client Secret and store them securely. Google will only show the client secret this one time.

6. Send your credentials to Clockk

Provide the following to your Clockk contact (securely):

  • Client ID
  • Client Secret
  • (optional) The domain you used above in https://«yourbrand».clockk.com

Clockk uses these values to complete the OIDC Authorization Code Flow and link your organization’s Google SSO to Clockk.

7. (Optional) Restrict access to your domain

In Google Cloud, use App access control / IAM to limit which users/groups can use the OAuth client.

Moving on to testing

After Clockk confirms your Google OIDC profile is configured on our side:

  1. Go to the Clockk SSO login page (https://https://app.clockk.com/account/login/sso or by going to https://app.clockk.com/login and clicking the “Enterprise SSO” button), enter your email address, and click “Submit”.
  2. Authenticate with a company Google account.
  3. Verify Clockk creates/links the user correctly.

If you provided a «yourdomain».clockk.com URL and Clockk has confirmed it, you can try visiting https://«yourdomain.clockk.com to see if you were automatically logged on without needing an email address.

Troubleshooting tips

  • Redirect URI mismatch: Ensure the URI in Google exactly matches the one provided by Clockk (scheme, host, path).
  • Forbidden user: Confirm domain restrictions (in Clockk and/or Google) include the tester’s account.

What Clockk needs from you (recap)

  • Client ID
  • Client Secret (value)
  • (Optional) Domain(s) you want to allow: yourcompany.clockk.com

Questions or need a hand? Contact Clockk and we’ll walk you through verification, redirect URIs, and domain restrictions.