Articles on: Schools & enterprise plans

Set up Google Workspace single sign-on (OIDC) for SimplyPrint

Set up Google Workspace single sign-on (OIDC) for SimplyPrint


This guide walks you through connecting Google Workspace to SimplyPrint with OpenID Connect (OIDC), so members can sign in with their existing Google account. You'll create an OAuth 2.0 client in the Google Cloud Console, register SimplyPrint's redirect URI, and paste the issuer and client credentials into your account settings.


OIDC single sign-on needs the SSO feature, which is included in the Enterprise plan and the School plan. Print Farm subscribers from before 2026-05-15 are grandfathered and keep it. See the pricing page for the full comparison.


Google Workspace is one of several identity providers SimplyPrint supports over OIDC. For the bigger picture and a list of all providers, see the OIDC overview.


Before you start

A few things to have ready:


  • You need to be an account admin with the user-registration settings permission. Only that role can configure SSO.
  • An account can run one SSO method at a time, SAML or OIDC, not both. Turning on OIDC deactivates SAML if you had it set up, but it keeps the saved SAML configuration for later.
  • You need admin access to your organization's Google Cloud Console (or someone who has it) to create the OAuth client.
  • Have your SimplyPrint settings open in one tab and the Google Cloud Console in another, since you'll copy a value between them.


Step 1: Open the OIDC settings in SimplyPrint

  1. Go to Settings -> Organization and open the User registration & SSO section.
  2. Tick OpenID Connect (OIDC) single sign-on.
  3. Click Configure OIDC single sign-on to open the setup modal.
  4. At the top of the modal, select the Google Workspace preset tab.


The Google Workspace preset prefills sensible defaults, including the standard claim mappings Google uses.


Step 2: Copy your redirect URI

In the modal, under What you need from us, you'll see a read-only Redirect URI field. This is the URL Google sends people back to after they sign in.


Copy the exact redirect URI shown in your modal. Use the Copy button rather than typing it, as a single character off will break the connection. You'll paste it into Google in the next step.


Keep this tab open. You'll come back to it to paste your client credentials.


Step 3: Create an OAuth client in Google Cloud Console

You create the OAuth 2.0 client in the Google Cloud Console, in the same Google Cloud project you want to use for sign-in.


  1. Go to the Google Cloud Console and select (or create) a project that belongs to your organization.
  2. Open APIs & Services -> Credentials.
  3. If you haven't configured it yet, set up the OAuth consent screen (also called the Branding / Audience page). Fill in your app name and support email.
  4. Click Create credentials -> OAuth client ID.
  5. For Application type, choose Web application.
  6. Give it a recognizable name, for example "SimplyPrint SSO".
  7. Under Authorized redirect URIs, click Add URI and paste the redirect URI you copied from SimplyPrint in step 2.
  8. Click Create.


Google then shows your Client ID and Client secret. You can always find them again later by opening the client on the Credentials page.


To limit sign-in to people in your own organization, set the OAuth consent screen Audience (user type) to Internal. That makes Google reject any account outside your Workspace. If you choose External, you can still restrict who gets in from the SimplyPrint side using allowed email domains, covered below.


Step 4: Paste the details back into SimplyPrint

Switch back to the SimplyPrint modal, under What we need from you, and fill in:



Leave Scopes at the default openid profile email.


Click Check to validate the connection. SimplyPrint reads Google's discovery document and shows the resolved endpoints (authorization, token, and so on). If the check succeeds, the rest of the setup is automatic, so you don't need to fill in any endpoints by hand.


The Client secret is write-only. Once you save, the field shows "Unchanged" and your secret stays hidden. Leave it blank when editing later to keep the existing secret, or type a new one to replace it.


Click Save when you're done.


Step 5: Test the connection

Before rolling this out to your members, use the built-in test.


  1. With your settings saved, click Test sign-in in the modal.
  2. A new tab opens and runs the real Google sign-in flow.
  3. SimplyPrint shows you the claims Google returned (email addresses are masked) without logging anyone in or creating an account.


This is the recommended way to confirm everything works. If a required claim is missing, the test calls it out so you can fix the mapping or your Google client before any member tries to sign in.


After this, members can sign in with Google from your organization's login page. For how that looks to them, see signing in with SSO. Existing members who already have an email and password account can link it to their SSO identity.


How new members get an account

When someone signs in for the first time and doesn't have a SimplyPrint account yet, SimplyPrint creates one automatically, but only when the email address is trustworthy. With Google Workspace, the email is trusted when any of these is true:


  • Google marked the email as verified (Google sends an email_verified claim, so this normally just works for Workspace accounts).
  • The email's domain is one your account has verified. See verified email domains.
  • An admin turned off Require verified email in the modal's Advanced section.


Because Google reliably reports verified emails for Workspace accounts, most accounts are created without any extra setup. Verifying your domains adds a second layer of trust and is worth doing anyway.


Google-specific things to know

A few Google quirks are worth calling out, so they don't surprise you later.


  • No groups by default. Google does not include a groups claim in the standard sign-in token, so mapping Google groups to SimplyPrint user groups generally won't work out of the box. The Google Workspace preset only maps email, first name (given_name), and last name (family_name); it does not set up a group mapping. If you need group-based assignment, SAML is the better fit, see SSO user groups and group mapping.
  • Logout is local to SimplyPrint. Google does not advertise a sign-out (logout) endpoint, so signing out of SimplyPrint ends only the SimplyPrint session. Members may still be signed in to Google. To fully sign out, they'll need to sign out of Google separately.
  • Restrict the app if you only want your organization. As noted above, setting the OAuth consent screen to Internal keeps sign-in limited to your Workspace. You can also restrict by email domain in SimplyPrint under Advanced -> Allowed email domains.


Troubleshooting

If sign-in fails, the modal's debug panels are your first stop. Last received claims (debug) shows the most recent claims from Google (email addresses masked), and Last sign-in error (debug) shows the most recent error. Together they pinpoint most problems.


A few common cases:


  • Redirect URI mismatch: the redirect URI in your Google client must match the one in SimplyPrint exactly. Re-copy it from the modal and update the Google client.
  • A new account couldn't be created: the email wasn't trusted. Verify your email domains, or turn off Require verified email, as described above.
  • Sign-in blocked for some users: if you set the consent screen to Internal, only your Workspace members can sign in. Outside accounts get a Google "org_internal" error.


For a deeper walkthrough of errors and fixes, see troubleshooting OIDC sign-in.



Updated on: 13/06/2026

Was this article helpful?

Share your feedback

Cancel

Thank you!