Configure Google as a Federated Authenticator

This page guides you through configuring Google as a federated authenticator in WSO2 Identity Server. Note that you can also configure One Tap authentication for sign-in with Google.

Set up a Google app

First, configure a Google app, which you can use to integrate WSO2 IS.

  1. Go to the Google Developer console, create a new project, or select an existing project.

  2. If the APIs & services page isn't already open, do the following:

    1. Open the navigation menu and click View all products. View all products on the Google console

    2. Under Management, click APIs & Services. Select APIs & Services

  3. Go to the Credentials page, click Create Credentials, and select Oauth client ID.

    Select APIs & Services

  4. Configure your consent screen by clicking Configure Consent Screen and return to the Create OAuth client ID screen once you are done.


    For more information, see User Consent

  5. Select the Web application as the application type.

  6. Provide a name for your app and the following URL as the Authorized Redirect URI of the application:

    7. Take note of the client ID and client secret generated for the application.

Register an identity provider

  1. Log in to the Management Console(https://<IS_HOST>:<PORT>/carbon) using admin/admin credentials.

  2. Navigate to Main > Identity > Identity Providers > Add.

  3. Enter an Identity Provider Name, Display Name, and Description.

  4. Go to Google Configuration under Federated Authenticators.


  5. Select the Enable checkbox.

  6. Enter the Client ID and Client Secret that were received when creating the Google application.
  7. Specify the following Callback URL:

  8. To be able to use Google One Tap, select the Enable One Tap checkbox.

    Using the Console app of WSO2 IS

    By default, Google One Tap is enabled for all tenants. If you want to restrict this option to selected tenants, add the following configuration to the deployment.toml:

    google_one_tap_enabled_tenants = [“carbon.super”,””]
  9. Click Register to add the Google IdP.

Register a service provider

You need to register your application as a service provider in WSO2 Identity Server.

  1. Log in to the WSO2 Identity Server Management Console (https://<IS_HOST>:<PORT>/carbon) using administrator credentials (admin:admin).

  2. Navigate to Main > Identity > Service Providers > Add.

  3. Enter a Service Provider Name. Optionally, enter a Description.

  4. Click Register.

  5. In the Inbound Authentication Configuration section, click Configure under the OAuth/OpenIDConnect Configuration section and set the configurations as required.

  6. Configure the Callback URL of the sample application (


  7. Keep the other configurations as default and click on Add

  8. Click Register. Now you will be sent back to the Service Providers page.

  9. Take a copy of the OAuth Client Key and the OAuth Client Secret for later usages


  10. Go to the Local and Outbound Authentication Configuration section.

  11. For Authentication Type, select the Federated Authentication radio button and select the Identity Provider you created from the dropdown list under Federated Authentication.

  12. Click Update to save the changes.

Try it out

You have successfully configured Google as your federated authenticator. Now, when you try to log in to your application, it should redirect to the Google login page. On successful authentication with your Google credentials, you will be able to access your application.

Set up the sample app

  • Download Apache Tomcat 9.x from here and install. Tomcat server installation location will be referred to as <TOMCAT_HOME> later in this guide.

  • It is recommended that you use a hostname that is not localhost to avoid browser errors. Modify the /etc/hosts entry in your machine to reflect this. Note that wso2is.local is used in this documentation as an example, but you must modify this when configuring the authenticators or connectors with this sample application.

  • Download the sample from GitHub.

    1. Navigate to WSO2 Identity Server Samples.
    2. Download the pickup-dispatch.war file from the latest release assets.

Deploy the sample app

Deploy this sample web app on a web container.

  1. Copy the pickup-dispatch.warfile into the webapps folder. For example, <TOMCAT_HOME>/apache-tomcat-<version>/webapps

  2. Open a terminal window and add the following entry to the /etc/hosts file of your machine to configure the hostname.   wso2is.local

    Why is this step needed?

    Some browsers do not allow you to create cookies for a naked hostname, such as localhost. Cookies are required when working with SSO . Therefore, to ensure that the SSO capabilities work as expected in this tutorial, you need to configure the etc/host file as explained in this step.

    The etc/host file is a read-only file. Therefore, you won't be able to edit it by opening the file via a text editor. Instead, edit the file using the terminal commands.
    For example, use the following command if you are working on a Mac/Linux environment.

    sudo nano /etc/hosts
  3. Open the file found in the <TOMCAT_HOME>/webapps/pickup-dispatch/WEB-INF/classes directory and edit the consumerKey and consumerSecret with the values obtained from the OAuth configuration.

  4. Restart the Tomcat server.

Sign in with Google

To test the sample:

  1. Go to the following URL on your browser: http://<TOMCAT_HOST>:<TOMCAT_PORT>/pickup-dispatch.

    For example,

    Pickup-dispatch application

  2. Click Login.

    You are redirected to the Google login page.

  3. If you don't have Google One Tap enabled, click Sign in with Google.

    Google login page

  4. Select your preferred Google account and sign in using your Google credentials.

You are redirected to the sample application's home page.

Sign in with Google One Tap

Google One Tap is a personalized authentication feature provided by Google. When a browser has an already authenticated google session, a personalized sign-in/sign-up button will appear instead of a conventional Google sign-in button. Note that this feature applies to One Tap-supported web applications.

Supported Browsers

Google One Tap supports for following browsers only.

  • Chrome
  • Firefox
  • Opera

Google One Tap login

When Google One Tap is enabled, the conventional Google sign-in button will not be available on the login page. However, the application user can close the One Tap personalized button and re-enable the conventional Google Sign-in button. As defined by Google, when the user closes the Google One Tap option, it will take two hours to enable it again unless cookies are cleared.