Google Workspace SSO setup #
Connect Google Workspace to eCardWidget over OpenID Connect.
Prerequisites: Enterprise plan; you'll verify your email domain via DNS during setup.
1. Create OAuth 2.0 credentials in Google Cloud #
- Google Cloud Console → APIs & Services → Credentials → Create Credentials → OAuth client ID.
- Application type: Web application.
- Name:
eCardWidget. - Authorized JavaScript origins:
https://app.ecardwidget.com. - Authorized redirect URIs:
https://app.ecardwidget.com/v2/api/sso/callback - Create, then copy the Client ID and Client Secret.
2. Configure the consent screen #
- APIs & Services → OAuth consent screen.
- User type: Internal (restricts to your Workspace domain).
- Authorized domains: add
ecardwidget.com. - Scopes:
openid,email,profile. - Save.
3. Connect Google Workspace in ECW #
- Sign in as the account owner → Settings → SSO & Directory Sync → Set up SSO.
- Provider: choose Google Workspace → Continue.
- Fill in:
- Provider name:
Google Workspace - Email domain:
yourcompany.com - OIDC discovery URL:
https://accounts.google.com/.well-known/openid-configuration - OIDC client ID / client secret: from step 1
- Provider name:
- Click Save & Create SSO.
4. Verify your email domain #
Click Verify Domain, then publish the DNS record:
| Record name | Type | Value |
|---|---|---|
_ecw-domain-verify.yourcompany.com |
TXT |
ecw-domain-verify=<token> |
Wait 5–15 min → Check Now. SSO login is inactive until it shows Verified.
5. Test and sign in #
- Test Connection — confirm the checks pass.
- In a fresh incognito window:
https://app.ecardwidget.com/main/login→ enter a test user's email → Continue with SSO → authenticate with Google → land in the ECW dashboard.
6. (Optional) SCIM provisioning from Google #
If you provision via a SCIM 2.0 connector, use ECW's SCIM Users Endpoint URL (the full
endpoint, with /Users):
https://app.ecardwidget.com/v2/api/scim/v2/Users
See SCIM provisioning & attribute mapping for tokens, mappings, and the lifecycle.
Troubleshooting (Google) #
| Symptom | Fix |
|---|---|
redirect_uri_mismatch |
The redirect URI in Google Cloud ≠ what ECW sent. Match both ends exactly. |
403 access_denied on consent |
User isn't in your Workspace domain (consent screen is Internal). Ensure they have a @yourcompany.com Google account. |
sso_error=domain_mismatch |
Token email isn't on your registered domain. Confirm the user's primary Workspace email. |
More: Troubleshooting.