Google Workspace SSO Configuration for MCP

Set up Google Workspace (formerly G Suite) as your Single Sign-On (SSO) provider for Model Context Protocol (MCP) servers with secure OAuth 2.0 authentication. This guide walks you through creating and configuring a Google Cloud project and OAuth 2.0 credentials for seamless integration with Cequence AI Gateway.

Prerequisites

Before you begin, ensure you have:

• Google Cloud Console access with project creation permissions
• Google Workspace admin access (for organization-wide settings)
• Your application's redirect URI: https://auth.aigateway.cequence.ai/v1/outbound/oauth/callback
• Basic understanding of OAuth 2.0 and OpenID Connect

Step 1: Access Google Cloud Console

1. Navigate to the Google Cloud Console
2. Sign in with your Google Workspace administrator account
3. Select your organization from the dropdown (if applicable)

Step 2: Create or Select Project

Create New Project

1. Click the project dropdown at the top of the page
2. Click New Project in the dialog
3. Configure project settings:
   • Project name: Cequence AI Gateway or your preferred name
   • Organization: Select your Google Workspace organization
   • Location: Choose your organization or folder
4. Click Create and wait for project creation

Select Existing Project

1. Click the project dropdown at the top
2. Search for and select your existing project
3. Ensure you have the necessary permissions

Step 3: Enable Required APIs

Navigate to API Library

1. In the Google Cloud Console, go to APIs & Services → Library
2. Search for and enable the following APIs:
   • Google Identity Toolkit API
   • Google+ API (if using legacy scopes)
   • Cloud Identity API (for advanced user management)

Enable APIs

For each API:

1. Click on the API name
2. Click Enable
3. Wait for the API to be activated

Step 4: Configure OAuth Consent Screen

Access OAuth Consent Configuration

1. Go to APIs & Services → OAuth consent screen
2. Select user type:
   • Internal - Only for users within your Google Workspace (recommended for organizations)
   • External - For any Google account (requires app verification for production)
3. Click Create

Configure App Information

Fill in the required application information:

Field	Description	Value
App name	Display name shown to users	Cequence AI Gateway
User support email	Contact for user questions	Your support email
App logo	Logo shown on consent screen (optional)	PNG file, 120x120px recommended
Application home page	Your application's homepage	Your company URL
Application privacy policy	Link to privacy policy	Your privacy policy URL
Application terms of service	Link to terms of service	Your terms URL
Authorized domains	Verified domains for your app	aigateway.cequence.ai
Developer contact information	Email addresses for Google to contact	Your admin emails

Click Save and Continue.

Configure Scopes

1. Click Add or Remove Scopes
2. Add the following OAuth scopes:
   • openid - Authentication
   • email - View email address
   • profile - View basic profile info
   • Optional additional scopes:
     • https://www.googleapis.com/auth/userinfo.email
     • https://www.googleapis.com/auth/userinfo.profile
3. Click Update
4. Click Save and Continue

Add Test Users (External Apps Only)

If you selected "External" user type and haven't published your app:

1. Click Add Users
2. Enter email addresses of test users
3. Click Add
4. Click Save and Continue

Step 5: Create OAuth 2.0 Credentials

Navigate to Credentials

1. Go to APIs & Services → Credentials
2. Click + Create Credentials
3. Select OAuth client ID

Configure OAuth Client

Configure the OAuth 2.0 client:

Field	Description	Value
Application type	Type of application	Web application
Name	Identifier for this client	MCP Server Client

Configure Authorized URIs

Add the following URIs:

Authorized JavaScript origins (optional):

https://auth.aigateway.cequence.ai

Authorized redirect URIs (required):

https://auth.aigateway.cequence.ai/v1/outbound/oauth/callback

Important

• URIs must match exactly (protocol, domain, port, and path)
• No trailing slashes unless your application expects them
• You can add multiple URIs for different environments

Click Create to generate credentials.

Save Client Credentials

After creation, a dialog will show your credentials:

Field	Description	Action
Client ID	Public identifier for your application	Copy and save
Client Secret	Private key for your application	Copy and save securely

Security

Never expose your Client Secret in client-side code or public repositories. Store it securely in your MCP server configuration.

Step 6: Configure Domain-Wide Settings (Optional)

For organization-wide SSO configuration:

Access Google Workspace Admin

1. Go to Google Admin Console
2. Sign in with your super administrator account

Configure SAML Apps (Alternative Method)

If using SAML instead of OAuth:

1. Go to Apps → Web and mobile apps
2. Click Add app → Add custom SAML app
3. Follow the SAML configuration wizard

Set Organization Policies

1. Go to Security → Access and data control → API controls
2. Configure:
   • Trust internal apps - Enable for internal OAuth clients
   • Trust domain-owned apps - Enable for your domain's apps
   • App access control - Set policies for third-party apps

Step 7: Configure MCP Server

Configure your MCP server with the Google credentials:

OAuth 2.0 Configuration

Add the following configuration to your MCP server:

{
  "authentication": {
    "type": "oauth2",
    "provider": "google",
    "config": {
      "clientId": "YOUR_CLIENT_ID.apps.googleusercontent.com",
      "clientSecret": "YOUR_CLIENT_SECRET",
      "authorizationUrl": "https://accounts.google.com/o/oauth2/v2/auth",
      "tokenUrl": "https://oauth2.googleapis.com/token",
      "redirectUri": "https://auth.aigateway.cequence.ai/v1/outbound/oauth/callback",
      "scopes": ["openid", "email", "profile"],
      "additionalParams": {
        "access_type": "offline",
        "prompt": "consent"
      }
    }
  }
}

Additional Parameters

Google OAuth supports additional parameters:

Parameter	Value	Description
access_type	offline	Request refresh token
prompt	consent	Force consent screen
login_hint	Email address	Pre-fill email field
hd	Domain	Restrict to specific Google Workspace domain

Domain Restriction

To restrict authentication to your Google Workspace domain:

{
  "additionalParams": {
    "hd": "yourdomain.com",
    "access_type": "offline"
  }
}

Step 8: Configure User Access

Organization Settings

In Google Workspace Admin Console:

1. Go to Apps → Additional Google services
2. Ensure required services are enabled for users
3. Configure access levels as needed

Group-Based Access

1. Create groups in Directory → Groups
2. Add users to appropriate groups
3. Configure app access based on group membership

Two-Step Verification

Enforce 2-factor authentication:

1. Go to Security → Authentication → 2-step verification
2. Click Enforcement
3. Select Turn on enforcement
4. Set enrollment period and configure settings

Testing Your Configuration

Verify OAuth Flow

1. Initiate an authentication request from your MCP client
2. You should be redirected to Google's sign-in page
3. Sign in with your Google Workspace account
4. Review and accept the consent screen (first time only)
5. You'll be redirected back to the callback URL
6. The MCP server should receive tokens successfully

Test Different Scenarios

Test with:

• Regular Google Workspace users
• Users with 2FA enabled
• Users from different organizational units
• External users (if configured)

Troubleshooting Common Issues

Issue	Solution
Error 400: redirect_uri_mismatch	Ensure the URI matches exactly in Google Console and MCP config
Error 400: invalid_client	Verify Client ID and Secret are correct
Error 403: access_denied	Check user has access to the application
Error 403: org_internal	App is restricted to organization users only
No refresh token received	Add access_type: offline and prompt: consent
Domain restriction not working	Add hd parameter with your domain

Security Best Practices

1. Access Control

• Use Internal app type for organization-only access
• Restrict by domain using the hd parameter
• Limit OAuth scopes to minimum required
• Review app permissions regularly

2. Secret Management

• Rotate client secrets periodically
• Use secret management tools (e.g., Google Secret Manager)
• Never commit secrets to version control
• Monitor secret usage in Cloud Console

3. Authentication Policies

Configure in Google Workspace Admin:

• Enforce 2-step verification for all users
• Use security keys for high-privilege accounts
• Configure session length appropriately
• Enable suspicious activity alerts

4. Monitoring and Auditing

• Enable audit logs in Google Workspace
• Monitor OAuth consent activities
• Track API usage in Cloud Console
• Set up alerts for unusual activities

Advanced Configuration

Service Account Authentication

For server-to-server authentication:

1. Create a service account in Cloud Console
2. Download the JSON key file
3. Enable domain-wide delegation if needed
4. Configure MCP server with service account credentials

Custom Scopes

Request additional Google API scopes:

{
  "scopes": [
    "openid",
    "email",
    "profile",
    "https://www.googleapis.com/auth/calendar.readonly",
    "https://www.googleapis.com/auth/drive.readonly"
  ]
}

Programmatic User Management

Use Google Workspace APIs for automation:

• Directory API for user management
• Admin SDK for policy configuration
• Cloud Identity API for group management

Identity Federation

For hybrid environments:

1. Configure Google as identity provider
2. Set up SAML federation with on-premises systems
3. Implement single sign-on across platforms

Compliance and Governance

Data Protection

Google Workspace compliance features:

• Data regions - Choose where data is stored
• Data Loss Prevention - Prevent sensitive data exposure
• Vault - Retain and search data for compliance
• Access Transparency - Log access by Google support

Compliance Standards

Google Workspace certifications:

• ISO/IEC 27001, 27017, 27018
• SOC 1/2/3
• GDPR compliant
• HIPAA capable (with BAA)
• FedRAMP authorized

Admin Controls

Essential admin configurations:

1. Context-Aware Access - Control access based on context
2. Advanced Protection Program - For high-risk users
3. Alert Center - Monitor security events
4. Security Dashboard - Overview of security status

Migration Considerations

From Other Providers

When migrating from other SSO providers:

1. Plan parallel run period
2. Migrate users in phases
3. Update application configurations
4. Communicate changes to users
5. Maintain fallback authentication method

Legacy G Suite Settings

If migrating from legacy G Suite:

1. Review deprecated APIs
2. Update to current OAuth endpoints
3. Migrate from Google+ scopes
4. Update consent screen configuration

Support Resources

• Google Cloud OAuth 2.0 Documentation
• Google Workspace Admin Help
• OpenID Connect on Google
• Google API Console
• Cequence AI Gateway Documentation

Next Steps

After successfully configuring Google Workspace SSO:

1. Complete testing with pilot user group
2. Configure additional security policies in Google Workspace
3. Set up monitoring and alerting for authentication events
4. Document configuration for your team
5. Plan rollout to all users with communication plan
6. Configure backup authentication methods
7. Schedule regular reviews of access and permissions