TroutTrout
All docs

Configure Admin SSO

Let administrators sign in to Access Gate with Google Workspace single sign-on.

3 min read · Last updated 2026-06-10

Single sign-on lets your administrators log into Access Gate with their existing Google Workspace identity instead of a local password. You map each Access Gate user to their Google identity, register an OAuth client in Google Cloud, and point Access Gate at it. This guide covers the Google Workspace flow end to end.

Before You Start

  • Admin access to Access Gate.
  • WAN access to the Access Gate, you can use the overlay port here.
  • Admin access to Google Cloud Console for the Workspace domain you want to authenticate against.
  • The DNS name your operators use to reach the Access Gate admin interface — you'll need it for the OAuth client.

Step 1 — Set an External ID on the User

In Access Gate, the external ID is what links a local user to their Google identity. Set it for the user who will sign in with SSO.

  1. Head to Access Gate admin → Settings → Accounts.
  2. Enter an external ID for your first user and save. This is the identity Google will assert for them (their Workspace email).
Entering an external ID on an Access Gate user
Entering an external ID on an Access Gate user

Once an external ID is set, the option to set a local password disappears — that user now authenticates through SSO rather than with a password.

The local password option is removed once an external ID is set
The local password option is removed once an external ID is set

Step 2 — Create an OAuth Client in Google

Now register Access Gate as an OAuth application so Google will issue logins for it.

  1. Open Google Cloud Console (console.cloud.google.com) → APIs & Services → Credentials → Create Credentials → OAuth client ID.
  2. Fill in your application information.
  3. Set the Authorized JavaScript origin to the address operators use to reach the Access Gate — whatever you've configured in your host or local DNS.
Example Google OAuth client configuration for Access Gate
Example Google OAuth client configuration for Access Gate

Save the client. Google gives you a client ID and client secret ; keep them for the next step.

Step 3 — Enter the SSO Configuration in Access Gate

Head back to Access Gate and enter the details from the OAuth client you just created.

Entering the SSO configuration in Access Gate
Entering the SSO configuration in Access Gate

Save the configuration.

Step 4 — Verify

Go to your Access Gate URL. You should be redirected into the Google SSO flow and, after authenticating, land back in Access Gate logged in as the mapped user.

If you aren't redirected — or Google rejects the login — re-check the Authorized JavaScript origin and confirm the user's external ID exactly matches their Google Workspace email.

Previous
Upgrading Access Gates
Next
Cross-Site Entity Sharing