Skip to main content

Documentation Index

Fetch the complete documentation index at: https://empuls.mintlify.app/llms.txt

Use this file to discover all available pages before exploring further.

Google Workspace SSO lets every employee in your Google domain sign in to Empuls with a single click — no separate Empuls password, no per-user invite step. It uses Google’s OAuth 2.0 flow with domain restriction so only users in your verified Workspace domain can authenticate, and new users are provisioned just-in-time the first time they sign in.
Google Workspace SSO is different from the basic Google login toggle in User Authentication. The generic Google toggle accepts any Google account whose email matches an existing Empuls record. Workspace SSO is domain-bound, with automatic provisioning for users that don’t yet exist in Empuls.

Before you start

  • You must be a Super Admin in Empuls.
  • You must be a Google Workspace super administrator for the domain you want to bind.
  • All employees who should be able to sign in must have email addresses on the verified Google Workspace domain.
  • Decide whether you want users created automatically on first sign-in (JIT provisioning) or only existing Empuls users to be able to authenticate.
OptionWhen to useBehavior
Google (basic)You just want users to skip entering a password and you’ve already added them to Empuls manually.OAuth login matched against existing email records. New users see “Account not found.”
Google Workspace SSO (this page)You want the whole domain to sign in seamlessly, with new hires onboarded automatically.Domain-restricted OAuth, JIT user creation, optional directory sync via the Google Workspace integration.
SAML 2.0 (custom)You need SAML, conditional access policies, or you want to centralize Empuls in your IdP catalog alongside other apps.SAML federation; you upload IdP metadata. See Custom SAML 2.0.

Set up Google Workspace SSO

1

Open User Authentication

Navigate to Admin Hub → User Access Settings → User Authentication.
2

Enable Google Workspace SSO

Toggle on Google Workspace and click Configure.
3

Authorize with Google

A Google sign-in window opens. Sign in with a Google Workspace super-admin account. Approve the requested OAuth scopes (sign-in and email).
4

Confirm the domain

Empuls shows the verified domain returned by Google (for example, acme.com). Confirm this is the domain you want bound to your Empuls tenant.
5

Choose provisioning behavior

  • Just-in-time provisioning — Any user in the domain who signs in for the first time is created as a new Empuls user with the default access role. Pick the default role here.
  • Existing users only — Only employees who already exist in Empuls can sign in. New domain users see “Account not found.”
6

Save

Save your settings. Google Workspace now appears as a sign-in option on your Empuls login page.

What employees see

After setup, the Empuls login page shows a Sign in with Google button. When an employee clicks it:
  1. Empuls redirects to Google’s OAuth consent screen.
  2. Google authenticates the user against your Workspace domain.
  3. Empuls receives the user’s email, verifies the domain matches, and signs them in.
  4. If the user is new and JIT provisioning is enabled, Empuls creates the account using the default role you set.
The whole flow takes seconds and avoids a separate password reset for every new hire.

Domain restriction

Empuls validates the domain on every sign-in. If a user signs in with a Google account that is not in your bound Workspace domain (for example, a personal @gmail.com account), authentication is rejected with “Account not authorized for this organization.” This blocks an entire class of mistaken sign-ups from individual Google users.

Just-in-time provisioning

When JIT is enabled and a new user signs in for the first time:
  • Empuls creates an employee record with the email from Google.
  • Name, profile picture, and basic profile fields are populated from the Google account.
  • The user is assigned the default access role you picked during setup.
  • Department, manager, and other HR fields are not populated automatically — connect Google Workspace directory sync or HRMS sync to fill those.
Pair Google Workspace SSO with the directory-sync side of the Google Workspace integration so JIT users land with manager, department, and org-unit info already set, not just an email.

Disable or rotate the SSO connection

1

Open User Authentication

Navigate to Admin Hub → User Access Settings → User Authentication.
2

Toggle off Google Workspace

Disable the toggle. Active sessions are unaffected; sign-ins after that point must use another enabled method.
3

Re-authorize (rotate)

To refresh OAuth credentials without disabling, click Configure and re-run the authorization flow with a current Google Workspace super-admin account.

Limits and gotchas

  • Empuls supports one Google Workspace domain per tenant. Multi-domain organizations must consolidate or use a different SSO method.
  • Disabling Google Workspace SSO does not delete the JIT-provisioned users — they remain in Empuls and may need to be cleaned up via employee exit policy or HRMS sync.
  • If multiple SSO methods are enabled, the login page shows all of them. To force Workspace as the only option, disable the other methods (Microsoft, Slack, basic Google, SAML).
  • Two-factor authentication is enforced by Google, not by Empuls. Configure 2FA at the Google Workspace level.