---
title: Google SSO
slug: /deployment/security/google
---
# Google SSO
Follow the sections in this guide to set up Google SSO.
## Create Server Credentials
### Step 1: Create the Account
- Go to [Create Google Cloud Account](https://console.cloud.google.com/)
- Click on `Create Project`
### Step 2: Create a New Project
Enter the **Project name**.
Enter the parent organization or folder in the **Location box**. That resource will be the hierarchical parent of the new project.
Click **Create**.
### Step 3: How to Configure OAuth Consent
- Select the project you created above and click on **APIs & Services** on the left-side panel.
- Click on the **OAuth Consent Screen** available on the left-hand side panel.
- Choose User Type **Internal**.
- Once the user type is selected, provide the **App Information** and other details.
- Click **Save and Continue**.
- On the **Scopes Screen**, Click on **ADD OR REMOVE SCOPES** and select the scopes.
- Once done click on **Update**.
- Click **Save and Continue**.
- Click on **Back to Dashboard**.
### Step 4: Create Credentials for the Project
- Once the OAuth Consent is configured, click on **Credentials** available on the left-hand side panel.
- Click on **Create Credentials**
- Select **OAuth client ID** from the dropdown.
- Once selected, you will be asked to select the **Application type**. Select **Web application**.
After selecting the **Application Type**, name your project and give the authorized URIs:
- domain/callback
- domain/silent-callback
- Click **Create**
- You will get the credentials
### Step 5: Where to Find the Credentials
- Go to **Credentials**
- Click on the **pencil icon (Edit OAuth Client)** on the right side of the screen
- You will find the **Client ID** and **Client Secret** in the top right corner
## Create Service Account
This is a guide to create ingestion bot service account.
### Step 1: Create Service-Account
- Navigate to your project dashboard
- Click on **Credentials** on the left side panel
- Click on **Manage service accounts** available on the center-right side.
- Click on **CREATE SERVICE ACCOUNT**
- Provide the required service account details.
Ensure that the Service Account ID is **ingestion-bot** and click on **CREATE AND CONTINUE**. If you chose a different Service Account Id, add it to the default bots list in [Configure OpenMetadata Server](https://github.com/StreamlineData/catalog/tree/3d53fa7c645ea55f846b06d0210ac63f8c38463f/docs/install/install/google-catalog-config.md)
- Click on **Select a role** and give the **Owner** role. Then click **Continue**.
- Click **DONE**
- Now you should see your service account listed.
### Step 2: Enable Domain-Wide Delegation
- Click on the service account in the list.
- On the details page, click on **SHOW DOMAIN-WIDE DELEGATION**
- Enable Google Workspace Domain-wide Delegation
- Click on **SAVE**
### How to Generate Private-Key/Service-Account JSON File
- Once done with the above steps, click on **KEYS** available next to the **DETAILS** tab.
- Click on **ADD KEY** and select **Create a new key**.
- Select the format. The **JSON format** is recommended.
- Next, click on **CREATE**
- The private-key/service-account JSON file will be downloaded.
After the applying these steps, you can update the configuration of your deployment:
Configure Auth0 SSO for your Docker Deployment.
Configure Auth0 SSO for your Bare Metal Deployment.
Configure Auth0 SSO for your Kubernetes Deployment.
## Configure Ingestion
After everything has been set up, you will need to configure your workflows if you are running them via the
`metadata` CLI or with any custom scheduler.
When setting up the YAML config for the connector, update the `workflowConfig` as follows:
```yaml
workflowConfig:
openMetadataServerConfig:
hostPort: 'http://localhost:8585/api'
authProvider: google
securityConfig:
secretKey: '{path-to-json-creds}'
```