Guides
StatusPlazaCreate Account
  1. Support
  2. 📊 Buckaroo Plaza

SSO Google Workspace

Overview

This guide walks you through setting up Single Sign-On (SSO) for Buckaroo Plaza using Google Workspace. The process has three parts:

  • Part 1 — Google: Create an OAuth client in Google Cloud Console to get the credentials Plaza needs.
  • Part 2 — Google: Control which users can access Plaza through the Google Workspace Admin Console.
  • Part 3 — Plaza: Register your domain, configure OIDC, test, enable SSO, and map users.

ℹ️ Prerequisites: You need (1) Super Admin privileges in your Google Workspace Admin Console, and (2) admin access to your Buckaroo Plaza merchant account.


Part 1: Create an OAuth Client in Google Cloud

The OAuth client provides the OIDC credentials that Plaza uses to authenticate your users against Google.

Step 1 — Open the Google Cloud Console

  1. Sign in to the Google Cloud Console with your Workspace admin account.
  2. Select an existing project or create a new one (e.g. Buckaroo Plaza SSO). The project is only used to hold the OAuth credentials.

Step 2 — Configure the OAuth Consent Screen

Google requires you to set up the consent screen before creating credentials. This is what users see when they sign in for the first time.

  1. In the left navigation, go to APIs & Services → OAuth consent screen.
  2. Select Internal as the user type. This restricts sign-in to users within your Google Workspace domain. Click Create.
  3. Fill in the required fields: • App name: Buckaroo Plaza • User support email: your admin or helpdesk email • Developer contact email: your admin email
  4. Under Scopes, click Add or Remove Scopes and add: • openid • email • profile Click Update, then Save and Continue.

Step 3 — Create OAuth Client Credentials

  1. Go to APIs & Services → Credentials.
  2. Click Create Credentials → OAuth client ID.
  3. Set Application type to Web application.
  4. Enter a name, e.g. Buckaroo Plaza.
  5. Under Authorised redirect URIs, click Add URI and enter: https://plaza.buckaroo.nl/signin-oidc
  6. Click Create.

A dialog appears showing your Client ID and Client Secret. Copy both values — you will enter them in Plaza.

ℹ️ Note: You can retrieve the Client ID later from the Credentials page, but the Client Secret is only shown at creation time. If you lose it, create a new one under the same OAuth client.

Step 4 — Authority URL

For Google Workspace, the authority URL is always the same:

https://accounts.google.com

You will enter this in Plaza during the OIDC configuration step.


Part 2: Control User Access in Google Workspace

By default, an Internal OAuth app is accessible to all users in your Google Workspace domain. To restrict access to specific users, you configure this in the Google Workspace Admin Console.


Option A: Using Organisational Units (Recommended)

Organisational Units (OUs) let you manage access for groups of users at once.

  1. Sign in to the Google Workspace Admin Console.
  2. Navigate to Security → Access and data control → API controls.
  3. Click Manage third-party app access.
  4. Click Add app → OAuth App Name Or Client ID. Search for the Client ID you created in Part 1 and select it.
  5. Set the access to Trusted.
  6. Under Organisational unit access, select which OUs should have access. To grant access to your entire organisation, select the top-level OU.
  7. Click Save.

Option B: Using Groups

If your user access does not align with organisational units, you can use Google Groups instead.

  1. In the Admin Console, go to Directory → Groups.
  2. Create a group (e.g. [email protected]) or use an existing one.
  3. Add the users who should have access to Plaza as members.
  4. Go to Security → API controls → Manage third-party app access. Under your app’s settings, scope access to the group.

Removing Access

  • If using OUs: Move the user to a different OU that does not have access.
  • If using Groups: Remove the user from the group.

The user will be unable to sign in via SSO at their next session.

ℹ️ Simpler alternative: If all users in your Workspace domain should have access to Plaza, you can skip this part entirely. The Internal consent screen setting already limits access to your domain.


Part 3: Configure SSO in Plaza

With the Google side ready, you can now set up SSO entirely from the Plaza interface.


Step 1 — Open the SSO Setup

  1. In Plaza, go to the Merchant menu.
  2. Click Single Sign-On.
  3. Click Setup.

Step 2 — Register and Verify Your Domain

Plaza needs to verify that you own the domain your users will sign in with. You can add one or multiple domains.

  1. Enter your domain (e.g. yourcompany.com) and click Add. Repeat for additional domains if needed.
  2. For each domain, Plaza shows a DNS TXT record you need to create:

Record type

TXT

Host / Name

_buckaroo-verify

Value

The UUID shown in Plaza (unique per domain)

  1. Once the DNS record has propagated, click Verify in Plaza.

ℹ️ DNS propagation: It can take a few minutes for the TXT record to become visible. If verification fails, wait a moment and try again.


Step 3 — Configure OIDC

  1. Click **Setup OIDC. **
  2. Select Google Workspace as your provider. This pre-fills the standard claim configuration for Google.
  3. Authority URL: Enter
  1. Client ID: Enter the Client ID from Part 1.
  2. Client Secret: Enter the Client Secret from Part 1.
  3. Click Save.

Step 4 — Test the SSO Flow

Click Test SSO. This initiates a sign-in flow against Google to validate the configuration. You will be redirected to Google’s sign-in page and back to Plaza.

If the test succeeds, you will see a success confirmation. If it fails, review the error message — common causes are an incorrect Client ID, wrong Client Secret, or a missing redirect URI in the Google Cloud Console.


Step 5 — Enable SSO

Once the test passes, click Enable SSO to activate Single Sign-On for your merchant account.

Optionally, enable Force SSO. When forced, normal username/password sign-in is disabled for all mapped users. They can only sign in through SSO.


Step 6 — Map Users

Go to the User Mapping page. This is where you link the identities from your Google Workspace to existing Plaza user accounts.

ℹ️ How user mapping works: In Plaza, the unique login identifier is the username, not the email address. Email addresses can be duplicated across accounts, so Plaza matches on email only when it is unique within your merchant account for a verified domain.

Auto-Map

Click Auto-Map to let Plaza automatically match users. Plaza will map every user whose email address is unique within your merchant account and belongs to one of your verified domains. After auto-mapping, Plaza shows a report of:

  • Successfully mapped users — these are ready to sign in via SSO.
  • Users that could not be mapped — either the email matched multiple Plaza accounts, or no Plaza account was found for that email. These need to be mapped manually.

Manual Mapping

For users that could not be auto-mapped, or if you prefer full control, you can manually assign each Google Workspace user to a specific Plaza account under your merchant.


Need Help?

If you run into issues during setup, contact Buckaroo support. Include your merchant name and the domain(s) you are trying to configure. Our support team can verify the integration status from our side.

Updated about 2 hours ago