Views:

This guide will walk through the steps to configure Google SSO for an LMS domain.

Step 1: Create a Google Cloud Project

  1. Go to console.cloud.google.com

  2. Click the project selector dropdown at the top, then New Project

  3. Name it (e.g. "VC LMS SSO"), click Create, and select it

Step 2: Set Up the Google Auth Platform

  1. Navigate to APIs & Services > Google Auth Platform (or go directly to the overview page)

  2. Click GET STARTED

  3. Fill in:

    • App name: Your application name

    • User support email: Your email

  4. Under Audience, choose:

    • External (any Google account can sign in) or Internal (Google Workspace org accounts only)

  5. Add Developer contact email(s)

  6. Click Create

Step 3: Configure Branding

  1. Go to the Branding page

  2. Fill in your app name, support email, and optionally upload a logo

  3. Under App Domain, add your homepage, privacy policy, and terms of service links

  4. Add your domain(s) to Authorized Domains

  5. Save

Note: Your app name/logo won't display to users on the consent screen until brand verification is complete. Only your domain will show until then.

Step 4: Configure Data Access (Scopes)

  1. Go to the Data Access page

  2. Click Add or Remove Scopes

  3. Add these two scopes (matching your appsettings config):

    • https://www.googleapis.com/auth/userinfo.email

    • https://www.googleapis.com/auth/userinfo.profile

  4. Save

Step 5: Create an OAuth Client

  1. Go to the Clients page

  2. Click CREATE CLIENT

  3. Select Web application

  4. Name it (e.g. "VC Bedrock Web Client")

  5. Under Authorized redirect URIs, add your OAuth callback URL(s):

(Check your app routing for the exact path)

  1. Click CREATE

  2. Immediately copy and securely store the Client ID and Client Secret — the secret is only shown once and cannot be retrieved later (it gets hashed). Google recommends storing it in a secret manager.

Step 6: Configure Your Application

The ClientId and ClientSecret are stored in the dbo.OAuthConfigurations database table:

 

ColumnValue
ClientIdClient ID from Step 5
ClientSecretClient Secret from Step 5
OAuthProviderId2 (OAuthProviderEnum.Google)
TenantIdLeave null (not used for Google)

 

The endpoint URLs are already set in your appsettings and don't need changes.

Step 7: Manage Audience / Go to Production

  1. Go to the Audience page

  2. While Publishing status is "Testing", only test users you explicitly add can authenticate (up to 100 user cap)

  3. When ready for production, change the publishing status to In Production on this page

  4. If you're using sensitive/restricted scopes, you'll need to complete verification via the Verification Center — but userinfo.email and userinfo.profile are non-sensitive, so you should not need a full review

Once this is all configured, a user can go to the LMS domain and authenticate with Google and should have access. If this is the first time someone has access and they are the prospective admin then they should contact customer support to ensure they get elevated permissions for the domain.

Keywords: SSO, Google