Introduction

This guide explains how to configure an OpenID Connect (OIDC) federation between Google Workspace / Cloud Identity (Identity Provider) and Wikit IAM (OIDC Broker). Once the configuration is complete, users in your organization will be able to log in to Wikit using their usual Google Workspace username and password.

Prerequisites

• Be a Google Workspace Administrator (or be assisted by the admin).
• Have access to the organization's Google Cloud Console.
• Know:
  • Your Google Workspace domain (e.g., client.com)
  • The organization slug provided by Wikit (e.g., client)
  • The Wikit IAM authentication URL: https://auth.wikit.ai

Google Workspace Side Configuration

Step 1: Create (or select) a Google Cloud Project

1. Log in to the Google Cloud Console with an administrator account.
2. Select an existing project, or click on New Project.
3. Recommended name: Wikit-SSO-<your_organization> (e.g., Wikit-SSO-client1).

Step 2: Configure the OAuth Consent Screen

1. In the menu, go to: APIs & Services → OAuth consent screen.
2. User Type:
   • Choose Internal (recommended) to limit access to users within your Google Workspace domain.
3. Fill in the required fields:
   • App Name: Wikit
   • User Support Email
   • Developer Contact Information
4. Leave the scopes as default (Wikit only uses openid, email, profile).
5. Click Save and Continue.

Step 3: Create an OAuth App (OIDC) and Retrieve Credentials

1. Go to: APIs & Services → Credentials.

2. Click on Create Credentials → OAuth client ID.

3. Select:

   • Application type: Web application

4. Fill in:

   • Name: Wikit SSO

   • Authorized redirect URIs: Add exactly the URL provided by Wikit:

     [https://auth.wikit.ai/realms/wikit-prod/broker/](https://auth.wikit.ai/realms/wikit-prod/broker/){organization-slug}/endpoint

     Example for client1:

     [https://auth.wikit.ai/realms/wikit-prod/broker/client1/endpoint](https://auth.wikit.ai/realms/wikit-prod/broker/client1/endpoint)

     Important: The URI must be identical character by character. Otherwise, Google will return a redirect_uri_mismatch error.

5. Click Create.

6. Copy the displayed values:

   • Client ID
   • Client Secret

Step 4: (Recommended) Restrict Access to Users in Your Domain

To ensure that only accounts from your domain (e.g., @client1.com) can log in:

1. Open the Google Admin Console.
2. Go to: Security → Access and data control → API controls → Manage Third-Party App Access
3. Find the Wikit SSO app you just created.
4. Set the access to Trusted for the relevant Organizational Units or groups.

Information to Send to Wikit

Please send the following items to your Wikit contact:

• Client ID: ...
• Client Secret: ...
• Google Workspace Domain (e.g., client.com)
• (Optional) 1–2 test accounts (e.g., firstname.lastname@client.com)

Wikit will finalize the configuration (OIDC Identity Provider alias {organization-slug}) and enable the login button.

Connection Test

Once the configuration is complete on the Wikit side:

1. Go to the usual Wikit URL.
2. Click on Log in with Google Workspace.
3. Authenticate with your Workspace account (firstname.lastname@client1.com).
4. You are redirected to Wikit and logged in.

Troubleshooting

• Error redirect_uri_mismatch → Check that the redirect URI declared in Google is exactly: