How To
ForgeRock Identity Cloud

Google SSO integration with Identity Cloud for social authentication/registration

Last updated Nov 10, 2021

The purpose of this article is to provide information on configuring Identity Cloud to integrate with Google® as a social provider using OpenID Connect (OIDC) for Single Sign-On (SSO).

1 reader recommends this article


This article describes how to configure Identity Cloud to use Google as a social provider for authentication and/or registration. Identity Cloud provides a standards-based solution for Google social authentication and registration based on OIDC standards. 

Steps involved:

  1. Configure Google 
  2. Configure the Social Identity Provider in Identity Cloud
  3. Create the end-user journey
  4. Test the end-user experience


Configuring Google


ForgeRock assumes no responsibility for errors or omissions in the third-party software or documentation.

Create an OAuth 2.0 client

You'll need to create an OAuth 2.0 client for your Identity Cloud Platform project. Identity Cloud uses the OAuth 2.0 client ID when requesting an OAuth 2.0 access token.

Refer to the Google Cloud Platform documentation for guidance on setting up OAuth 2.0. When creating the OAuth 2.0 client, make sure you select your Identity Cloud project. If this is your first time creating a client ID, you will also need to configure your consent screen as shown in the User Consent section in the Google documentation.

Use the following configuration for Identity Cloud:

  • Application Type: Select Web application.
  • Name: Enter a suitable name to identify the OAuth 2.0 client.
  • Authorized JavaScript origins: Click Add URI and add your origin URI for your Identity Cloud instance, for example, https://<tenant-name>
  • Authorized redirect URIs: Add the Identity Cloud server URI. This is the page to go to once access has been granted, for example, https://<tenant-name>

Once you have created the OAuth 2.0 client, you'll see a unique Client ID and Client Secret. You'll need this information when you configure the Google social identity provider in Identity Cloud. You can retrieve these details at any time from the Credentials page.

Configuring the Social Identity Provider in Identity Cloud

  1. In the Identity Cloud Admin UI, navigate to Native Consoles > Access Management > Services > Social Identity Provider Service.
  2. Choose Secondary Configurations, click Add a Secondary Configuration, and select the Client configuration for Google option.
  3. Complete the following configuration:
    • Name: Enter a name for the social identity provider, for example, Google.
    • Client ID: Enter the client identifier for your Google Cloud Platform project.
    • Redirect URL: Enter your Identity Cloud tenant login URL. This must match the redirect URI you configured in your Google Cloud Platform project, for example, https://<tenant-name>
    • Scope Delimiter: Enter the scope delimiter, which is usually an empty space.
  1. Click Create.

The full configuration for the new Google social identity provider is displayed.

  1. Enter the client secret for your Google Cloud Platform project in the Client Secret field.
  2. Check the rest of the default settings are correct. In particular, check the following fields:
    • Enabled: Ensure the configuration is enabled.
    • Issuer: Ensure that is entered.
    • Transform Script: Ensure that Google Profile Normalization is entered. This script transforms Google credential data into a normalized form.
  1. Click Save Changes.

Creating the end-user journey

You can create custom end-user journeys for social registration and sign in. These journeys will include all your enabled social identity providers, so you won't need to create different journeys for different providers.

See How do I create end user journeys for social registration and login in Identity Cloud? for information on how to create end-user journeys for SSO with social providers.

Testing the end-user experience

  1. In the Identity Cloud Admin UI, navigate to Journeys.
  2. Click the journey that you want to test.
  3. Copy the Preview URL.
  4. Paste the preview URL into a browser using Incognito or Browsing mode.
  5. Follow the sign in and/or registration steps to test your journey.

For example, if Google is configured as a social identity provider for social login, end users are asked if they want to authenticate with Google, similar to the screenshot below.

See Also

How do I create end user journeys for social registration and login in Identity Cloud?

Facebook SSO integration with Identity Cloud for social authentication/registration

Manage Journeys

Google Social Identity Provider

Social Authentication

Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.