# Google SSO Setup

This guide explains how to configure Google Workspace as the identity provider for Nected.\
The setup requires creating an OAuth 2.0 Client inside Google Cloud Console, configuring the consent screen, adding redirect URIs, and supplying the credentials to **Konark** and **Nalanda** through `nected-values.yaml`.

This document is designed for administrators who manage authentication for Nected environments.

### **Prerequisites**

Before starting:

* You must have admin access to Google Cloud Console.
* Your organization must use Google Workspace or have Google Identity enabled.
* You must know your Nected UI domain, for example:\
  `https://nected-ui.example.com`
* You must have access to edit and deploy your Helm chart configuration.

### **1. Open Google Cloud Console**

Go to: <https://console.cloud.google.com/>

Choose the correct Google Cloud project where you want to configure OAuth authentication.

If your organization uses multiple projects, confirm you’re configuring the correct one for Nected.

### **2. Enable OAuth Consent Screen**

Google requires a consent screen before OAuth credentials can be created.

Go to:

**APIs & Services → OAuth Consent Screen**

Choose one of the following:

* **Internal** → Only users in your Google Workspace can authenticate
* **External** → Any Google user can authenticate (only use if required)

Fill in the required fields:

* App name
* User support email
* Developer contact email

You do **not** need to add scopes or test users at this stage unless your organization enforces security constraints.\
Save the configuration to continue.

### **3. Create OAuth 2.0 Client Credentials**

Now create the credentials that Nected will use.

Navigate to:

**APIs & Services → Credentials → Create Credentials → OAuth client ID**

Choose:

* **Application type:** *Web application*

Enter a name, for example:

```
nected-sso-google
```

### **4. Add Authorized Redirect URIs**

Google requires redirect URIs to be explicitly listed for your app to accept OAuth callbacks.

Add this URI exactly as it appears in your Nected UI:

```
https://<your-nected-ui-domain>/oauth/redirect
```

Example:

```
https://nected-ui.example.com/oauth/redirect
```

You may add multiple URIs later if using different staging/production deployments.

Click **Create**.

Google will generate:

* **Client ID**
* **Client Secret**

Download these values or copy them—they will be needed in your Helm config.

### **5. Configure Nected (Konark + Nalanda)**

Open your `nected-values.yaml` file.\
Google SSO requires configuration in both services.

#### **5.1 Update Konark Environment Variables**

Konark handles the browser login flow.

Locate:

```
Konark:
  envVars:
```

Add:

```yaml
# Authentication Configuration
VITE_ENABLE_GOOGLE_LOGIN: true
VITE_GOOGLE_CLIENT_ID: "<Google Client ID>"
```

These values enable Google login on the UI.

#### **5.2 Update Nalanda Environment Variables**

Nalanda validates Google-issued ID tokens and establishes server-side authentication.

Locate:

```
Nalanda:
  envVars:
```

Add:

```yaml
# google-login
GOOGLE_AUTH_ENABLED: "true"
GOOGLE_CLIENT_ID: "<Google Client ID>"
```

Nalanda requires the secret to verify OAuth flows securely.

### **6. Apply the Configuration**

Deploy the updated configuration using your Helm chart:

```bash
helm upgrade -i nected nected/nected -f nected-values.yaml
```

Restart all authentication-related services:

```bash
kubectl rollout restart deploy nected-konark nected-nalanda
```

Both services will start using the new Google OAuth configuration.

### **7. Validate the Integration**

Open your Nected UI.

You should now see a **“Continue with Google”** option on the login screen.

Test login using a Google account allowed by your consent screen settings.

If authentication succeeds, Google SSO is operating correctly.

{% hint style="warning" %}
In case you need any kind of assistance while setting up the SSO, please contact us at [**support@nected.ai**](mailto:support@nected.ai)
{% endhint %}

### **8. Troubleshooting**

#### Consent screen errors

Internal apps only allow users within your organization.\
Switch to **External** if your users are outside your domain.

#### Redirect URI mismatch

Ensure the URI in Google Console matches exactly with the one provided to Konark.

#### Invalid client or secret

Verify the following values in `Nalanda → envVars`:

* `GOOGLE_CLIENT_ID`
* `GOOGLE_CLIENT_SECRET`

#### Login button not appearing

Konark must include:

```
VITE_ENABLE_GOOGLE_LOGIN: true
```

#### Token validation failures

Google tokens expire quickly—ensure your cluster’s time synchronization is accurate using NTP.

Your Nected deployment now supports authentication through Google Workspace.\
This configuration improves login security, simplifies onboarding, and aligns access control with your organization’s identity strategy.

You can now combine Google SSO with other providers like Microsoft Entra for multi-IdP environments.