Single Sign-On (SSO) in collaboration with Google Workspace
With Pluvo, you can easily set up Single Sign-On (SSO) for your academy. In this article, we explain how to retrieve the required details from Google Workspace.
Once you have this information, you can easily implement Single Sign-On (SSO) in Pluvo. You can find more information this article
Note: You will need an admin account in Google Workspace and a Company subscription in Pluvo to complete the following steps.
Let’s start by creating an OAuth client ID:
Go to https://console.cloud.google.com/apis/credentials and choose ‘Create credentials’, then select OAuth client ID.
Next, choose Web application:
In the next step, you need to name the client ID. Choose a clear name, for example: 'Web client Pluvo academy' so you’ll remember what this client ID is used for.
Then copy the “filled in” parameters from Pluvo. You can find these parameters under Admin > Settings > 'SSO & LTI':
Example:
Authorised JavaScript origins: https:// your-subdomain. pluvo.com
Authorised redirect URIs: https:// _your-subdomain_.pluvo.com/oidc/callback/
Next, enter these parameters in Google Workspace:
Once saved, a pop-up will appear showing your client ID and client secret.
Note: Make sure to save a copy, as you'll need the client ID and secret later in the Pluvo SSO settings.
The next step is to create a consent screen in Google Workspace so users can approve the SSO login.
Go to https://console.cloud.google.com/apis/credentials/consent and fill in the following details:
Type: Internal
App name: [Enter a clear name]
App logo: [Choose an image]
Email: [Person responsible for user support]
Google API scopes: email, profile, openID, https://www.googleapis.com/auth/admin.directory.group.readonly
Only add the https://www.googleapis.com/auth/admin.directory.readonly scope if you want to include group information
Authorised domains: pluvo.com
Links: [You can leave these blank]
Once saved, you’re done with the changes in your Google Cloud Platform.
If you added the scope https://www.googleapis.com/auth/admin.directory.group.readonly in the previous step, we’ll also need to configure access in your Google Admin workspace
Go to https://admin.google.com/ac/owl/list?tab=apps and configure a new app. Provide the OAuth Client ID, and you’ll see your app appear. Select this app and choose ‘select’. Then, grant access to all services.
Done! Your users can now log in and will automatically be added to the group they belong to in Workspace. This way, you can immediately offer them the relevant learning journeys.
Note: Only proceed to step 3 after completing step 2. We retrieve all groups from your Workspace right after step 3, and correct permissions are required.
You now have all the required information to complete the setup in Pluvo. These fields can be found in your academy under Admin > Settings > 'SSO & LTI'.
OAuth Client ID = ..... [You obtained this above when creating the OAuth client ID]
OAuth Client secret = ....... [You obtained this above when creating the OAuth client ID]
The following fields are always the same for Google Workspace:
Authorization endpoint: https://accounts.google.com/o/oauth2/v2/auth
Token endpoint: https://oauth2.googleapis.com/token
User endpoint: https://openidconnect.googleapis.com/v1/userinfo
Scope = openid email
Oidc sign algo = RS256
Oidc op jwks endpoint: https://www.googleapis.com/oauth2/v3/certs
If you want group information to be included and users to be automatically added to the same groups in Pluvo as in Workspace, then add the following link to the scope, after "openid email" (this is the same scope as used in the OAuth consent screen): https://www.googleapis.com/auth/admin.directory.group.readonly
Simply fill in the required fields, click “Save”, set the slider to “active”. After that, your users will be able to log in via SSO without any problems!
Once you have this information, you can easily implement Single Sign-On (SSO) in Pluvo. You can find more information this article
Note: You will need an admin account in Google Workspace and a Company subscription in Pluvo to complete the following steps.
Step 1: Settings in Google Cloud Platform
Let’s start by creating an OAuth client ID:
OAuth 2.0 client
Go to https://console.cloud.google.com/apis/credentials and choose ‘Create credentials’, then select OAuth client ID.
Next, choose Web application:
In the next step, you need to name the client ID. Choose a clear name, for example: 'Web client Pluvo academy' so you’ll remember what this client ID is used for.
Then copy the “filled in” parameters from Pluvo. You can find these parameters under Admin > Settings > 'SSO & LTI':
Example:
Authorised JavaScript origins: https:// your-subdomain. pluvo.com
Authorised redirect URIs: https:// _your-subdomain_.pluvo.com/oidc/callback/
Next, enter these parameters in Google Workspace:
Once saved, a pop-up will appear showing your client ID and client secret.
Note: Make sure to save a copy, as you'll need the client ID and secret later in the Pluvo SSO settings.
OAuth consent screen
The next step is to create a consent screen in Google Workspace so users can approve the SSO login.
Go to https://console.cloud.google.com/apis/credentials/consent and fill in the following details:
Type: Internal
App name: [Enter a clear name]
App logo: [Choose an image]
Email: [Person responsible for user support]
Google API scopes: email, profile, openID, https://www.googleapis.com/auth/admin.directory.group.readonly
Only add the https://www.googleapis.com/auth/admin.directory.readonly scope if you want to include group information
Authorised domains: pluvo.com
Links: [You can leave these blank]
Once saved, you’re done with the changes in your Google Cloud Platform.
Step 2: Google Workspace settings if you also want to pass on group information to Pluvo
If you added the scope https://www.googleapis.com/auth/admin.directory.group.readonly in the previous step, we’ll also need to configure access in your Google Admin workspace
Set up App access control
Go to https://admin.google.com/ac/owl/list?tab=apps and configure a new app. Provide the OAuth Client ID, and you’ll see your app appear. Select this app and choose ‘select’. Then, grant access to all services.
Done! Your users can now log in and will automatically be added to the group they belong to in Workspace. This way, you can immediately offer them the relevant learning journeys.
Note: Only proceed to step 3 after completing step 2. We retrieve all groups from your Workspace right after step 3, and correct permissions are required.
Step 3: Pluvo SSO settings
You now have all the required information to complete the setup in Pluvo. These fields can be found in your academy under Admin > Settings > 'SSO & LTI'.
OAuth Client ID = ..... [You obtained this above when creating the OAuth client ID]
OAuth Client secret = ....... [You obtained this above when creating the OAuth client ID]
The following fields are always the same for Google Workspace:
Authorization endpoint: https://accounts.google.com/o/oauth2/v2/auth
Token endpoint: https://oauth2.googleapis.com/token
User endpoint: https://openidconnect.googleapis.com/v1/userinfo
Scope = openid email
Oidc sign algo = RS256
Oidc op jwks endpoint: https://www.googleapis.com/oauth2/v3/certs
If you want group information to be included and users to be automatically added to the same groups in Pluvo as in Workspace, then add the following link to the scope, after "openid email" (this is the same scope as used in the OAuth consent screen): https://www.googleapis.com/auth/admin.directory.group.readonly
Simply fill in the required fields, click “Save”, set the slider to “active”. After that, your users will be able to log in via SSO without any problems!
Updated on: 09/05/2025
Thank you!