Integrating with Google Workspace for SSO

Customers using Google Workspace or Cloud Identity can give their ChurchSuite users a Single Sign-On (SSO) user experience to access ChurchSuite using their existing Google credentials. Email support@churchsuite.com to request the Google integration be enabled on your ChurchSuite account, and then follow the instructions in this article to complete the integration process.

In this article

Introduction and intended functionality
Obtaining the Google identification credentials
Completing the Google integration
Enabling SSO for ChurchSuite users

Introduction and intended functionality

Organisations using Google Workspace or Cloud Identity can give their ChurchSuite Users a secure Single Sign-On (SSO) experience, enabling them to log into ChurchSuite using their existing Google credentials.

Changes to Account permissions in Google ID do not apply to ChurchSuite. Your ChurchSuite account has its own administrator-managed user permissions to the modules and sites, which can be set on a user-by-user basis. The distinction between Administrators and Users, as defined in ChurchSuite, is unrelated to the level of Account permissions set within Google. When an Account user's access is revoked in Google, an SSO-enabled user will no longer be able to access ChurchSuite. However, you should archive (or, with caution, delete) their ChurchSuite user profile as a separate task. See our related support article on Adding and managing users for further information.

Once SSO is enabled for a ChurchSuite user, any previously set ChurchSuite username and user password are disabled to prevent use. An 'SSO Enabled' notification is sent to the user, shown in the user's communication log, and a user change log is added. An SSO-enabled user is prevented from changing their user email address. Additionally, the ChurchSuite password change/reset actions and multi-factor authentication functionality are disabled and bypassed for that user.

SSO can only be disabled for a user by a ChurchSuite Administrator. Resetting the Google integration will disable SSO for all users. When SSO is disabled, a user's previous ChurchSuite username and user password are reactivated. A password reset request can be sent to encourage users to secure their user account with a new password, and they can enable multi-factor authentication (MFA can also be enforced for all users).

Obtaining the Google identification credentials

To complete the ChurchSuite integration with Google, you will first need two values from your Google Cloud account. They are:

  • Client ID
  • Client Secret

Let's see how to obtain these:

Log into your Google Cloud account dashboard and navigate to the APIs & Services section. From the sidebar, select Credentials and click Create Credentials to add a new OAuth client ID:

Click to see a larger version

Next, choose 'Web application' for the Application type and enter a Name for the OAuth client, e.g. 'ChurchSuite SSO'. Add the following login page URL as an Authorised redirect URL and click Save to add the client.

https://login.churchsuite.com/sso/google/callback
Click to see a larger version

The OAuth client is created, and the Client ID and Client secret are shown. Copy both values ready to paste them into the Google Integration in ChurchSuite, which you could have open in a separate tab in your browser:

Click to see a larger version

In ChurchSuite and from the Integrations section of your Account Settings, click Google:

Click to see a larger version

Click Edit.

Click to see a larger version

On the Edit pop-up, paste the two values explained in the previous section into the appropriate box - be careful to paste each value into the correct box! Click Save to complete the process.

Click to see a larger version

The newly added Connection Settings are shown. You can return to Edit these settings further in the future to update an expiring Client Secret. You are now ready to begin enabling SSO for your ChurchSuite users.

Click to see a larger version

Enabling SSO for ChurchSuite users

From a user profile:

Working within the Users section of your Account Settings, select Enable Google SSO from a user's profile.

Click to see a larger version

You must check that the user's email address matches an active Account user in Google Workspace or Cloud Identity; otherwise, they will be unable to log into ChurchSuite. Once you are happy, tick the confirmation checkbox and click Save.

Click to see a larger version

The user profile updates to show that Single sign-on is active. Note the option to Disable Google SSO.

Click to see a larger version
From the Users list:

Using the batch Actions, you can enable (and disable) Google SSO for multiple selected users within the Users section of your Account Settings.

Click to see a larger version

First, ensure that each selected user's email address matches an active Google Account user's email address; otherwise, users will be unable to access ChurchSuite. Once you are happy, tick the confirmation checkbox and click Save to apply the changes to the selected users.

Click to see a larger version

An icon in the Users section distinguishes SSO-enabled users:

Click to see a larger version

The Advanced Search can be used to filter and see just those users with SSO enabled or disabled:

Click to see a larger version

Once SSO is enabled for a ChurchSuite user, any previously set ChurchSuite username and user password are disabled to prevent use. An 'SSO Enabled' notification is sent to the user, shown in the user's communication log, and a user change log is added. An SSO-enabled user is prevented from changing their user email address. Additionally, the ChurchSuite password change/reset actions and multi-factor authentication functionality are disabled and bypassed for that user.

When an SSO-enabled user next logs in, they can access ChurchSuite by clicking Continue with Google:

Click to see a larger version
Disabling SSO

SSO can only be disabled for a user by a ChurchSuite Administrator. Resetting the Google integration will disable SSO for all users. When SSO is disabled, an "SSO Disabled" notification is sent to the user, shown in the user's communication log, and a user change log is added. The previous ChurchSuite username, user password, and password change/reset actions are reactivated for that user. When disabling SSO, a password reset request can be optionally sent to encourage users to secure their ChurchSuite login with a new password, and they can enable multi-factor authentication.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.

Still need help? Contact ChurchSuite Contact ChurchSuite