This documentation will guide you through setting up Tresorit SSO with Google. You’ll have to create and configure a new OAuth Client on the Google Cloud Platform Admin UI under APIs and services. During this configuration, you will acquire an ID that you’ll have to set in Tresorit’s Admin Center. You also have to enable Google Drive API. Once you have the IDs, you can set up the policy groups and users and enable SSO policy for them, as a last step.

We implemented our support for Google SSO with the help of the Google Drive API. We used the built-in capability of the API to store application-specific data in a special folder. This folder is only accessible by the given application and its contents are hidden from the user and from other Drive apps.

For more info: https://developers.google.com/drive/api/v3/appdata

🎓 You might be interested:
Introduction to SSO
Managing SSO users

Please note that If you're using SSO, Internet Explorer 11 and all versions of Microsoft Edge until 44.19041 are not supported.

How to setup SSO for Tresorit

Create a New Google Cloud project

As a first step you need to create a Google Cloud project in Google Cloud Console. Here you can find the official 5-step tutorial for this: https://developers.google.com/workspace/guides/create-project

Enable Google Drive access to this client

The next step is to enable Google Drive API in your project. To perform that choose Library under the APIs and services and search for Google Drive and click on Google Drive. Alternatively follow this link: https://console.cloud.google.com/apis/library/drive.googleapis.com

Click Enable.

Configure OAuth consent screen

You need to set up the OAuth consent screen otherwise you won’t be allowed to create credentials in this project.

Choose OAuth consent screen under APIs and Services and select Internal as User Type then click CREATE.

As an App name we recommend to use Tresorit. As User support email you should add an address where your users can reach your IT Admin Team in case they have any questions or technical difficulties.

Add the following Authorised domains:

• tresorit.com
• tresor.it

As Developer contact information you should add an address where Google can notify you about any changes to your project.

After that you can click SAVE AND CONTINUE.

On the Scopes page you should click on ADD OR REMOVE SCOPES and add these URLs to the field under MANUALLY ADD SCOPES

• https://www.googleapis.com/auth/userinfo.email
• https://www.googleapis.com/auth/userinfo.profile
• https://www.googleapis.com/auth/drive.appdata
• openid

Click UPDATE

Now you can click SAVE AND CONTINUE to view the Summary.

After that you can click on BACK TO DASHBOARD.

Create credentials in Google Cloud Platform

As a next step you need to create a new credential in the previously created project.

Choose Credentials under the APIs and Services click on CREATE CREDENTIALS and choose OAuth client ID.

The Application type of this new credential should be Web application.

Enter a Name for your app (such as Tresorit).

Add the following as URI for Authorised Javascript origins:

• https://web.tresorit.com

Add the following Authorised redirect URIs:

• https://web.tresorit.com/sso-login
• https://web.tresorit.com/sso-logout
• https://tresor.it/sso

Save the settings.