This guide walks you through integrating Google Workspace Single Sign-On with Axya. Once configured, your users can log in to Axya using their existing Google Workspace credentials.
Send the following information to Axya's security team at security@axya.co:
| Information | Description |
|---|---|
| User domain name | The email domain used for SSO (e.g., user@yourcompany.com) |
| SSO URL | The Google IdP SSO URL from the SAML app configuration |
| Entity ID | The Google IdP Entity ID |
| X.509 Certificate | The signing certificate downloaded from Google |
| Test account | A test user with valid Google Workspace credentials for Axya to validate the SSO flow |
| Information | Description |
|---|---|
| User domain name | The email domain used for SSO (e.g., user@yourcompany.com) |
| Client ID | The OAuth 2.0 Client ID from Google Cloud Console |
| Client Secret | The OAuth 2.0 Client Secret from Google Cloud Console |
| Test account | A test user with valid Google Workspace credentials for Axya to validate the SSO flow |
| Google Directory attribute | App attribute |
|---|---|
| Primary email | email |
| First name | firstName |
| Last name | lastName |
email, profile, and openid.This step applies to the SAML configuration (Step 1A). OIDC configurations using an Internal OAuth consent screen are automatically available to your domain users.
Important: Changes may take up to 24 hours to propagate across your Google Workspace organization, though they typically apply within minutes.
Email the following to security@axya.co:
For SAML 2.0:
For OIDC:
The Axya security team will configure the SSO connection and provide the ACS URL, Entity ID, or Redirect URI if not already shared.
"This app is blocked" or "App not available" error
The Axya SAML app has not been enabled for the user's organizational unit. Complete Step 2 above to enable user access.
"Error 400: redirect_uri_mismatch" (OIDC)
The Redirect URI configured in Google Cloud Console does not match what Axya expects. Contact security@axya.co to confirm the correct Redirect URI.
"Access blocked: Authorization Error" (OIDC)
The OAuth consent screen may be set to External instead of Internal, or the required scopes are not configured. Verify the consent screen settings in Google Cloud Console.
Users from a specific organizational unit cannot log in
The Axya app may not be enabled for that organizational unit. In the Google Admin Console, check User access settings for the app and ensure the relevant unit is set to ON.
Note: This guide covers the general Google Workspace SSO setup. Configuration steps may vary depending on your Google Workspace edition and organizational policies. Refer to the official Google Workspace Admin documentation for the most current instructions.
For assistance, contact the Axya security team at security@axya.co.