Setting Up Google Workspace as a WordPress Login Provider (OIDC SSO for Nonprofits)

Why we needed SSO

UniApplyForMe uses Google Workspace for internal team communication, document management, and email. The WordPress backend is where content lives. Having two separate login systems — one for Google, one for WordPress — meant password sprawl, access control headaches, and the inevitable support request from someone who’d forgotten which password was which.

The fix: connect Google Workspace to WordPress via OpenID Connect so team members log in to WordPress using their Google account. One credential, one place to revoke access when someone leaves.

What you need

Three things: a Google Cloud project with OAuth 2.0 credentials configured, a WordPress OIDC plugin (I used the miniOrange OIDC plugin — there are several options), and a Google Workspace account with the users you want to grant access. You don’t need a paid Google Cloud tier for this — the OAuth 2.0 functionality is available on the free tier.

Setting up the Google Cloud side

In Google Cloud Console, create a new project (or use an existing one). Navigate to APIs & Services > Credentials > Create Credentials > OAuth 2.0 Client ID. Set the application type to “Web application”. Add your WordPress site’s callback URL as an authorised redirect URI — this will be something like https://yoursite.com/wp-login.php?action=openid-connect-authorize depending on your plugin. Note the Client ID and Client Secret — you’ll need these in WordPress.

Also configure the OAuth consent screen. For internal Workspace use, set it to “Internal” — this restricts login to users within your Workspace organisation, which is exactly what you want.

Configuring WordPress

Install and activate your chosen OIDC plugin. In the plugin settings, enter the Client ID and Client Secret from Google Cloud. The discovery URL for Google’s OIDC endpoint is https://accounts.google.com/.well-known/openid-configuration — most plugins will auto-populate the endpoints from this. Set the login button label to something clear like “Sign in with Google Workspace”.

Decide on your user matching strategy: match by email address is the safest option. If a WordPress user with the same email as the Google account exists, they’ll be linked automatically. If not, you can configure whether new users are created on first login or blocked.

The access control benefit

The biggest operational win: when someone leaves the organisation, you suspend or delete their Google Workspace account and their WordPress access is revoked automatically. No separate deprovisioning step. For a nonprofit with volunteers and interns rotating through, this matters.

What to watch out for

Make sure your WordPress admin account has a non-Google fallback login method before you enable SSO. If something goes wrong with the Google OAuth configuration, you need a way back in. Keep the default WordPress login form accessible at /wp-login.php — don’t hide it entirely until you’re confident everything works.