# Google
This page provides a walkthrough to configure Google as an external identity provider for Akamas users.
{% hint style="info" %}
You will need a Google account with the privileges required to create *app registrations*.
{% endhint %}
## Configure the App registration
To integrate Akamas with your Google Workspace, you first need a *project* with a dedicated *OAuth client*. Log in to your Google Developer Console, and navigate to the ["Credentials" page](https://console.cloud.google.com/apis/credentials) of "API & Services".
### Configure the Consent Screen
If the "Credentials" page displays a warning box reminding you to configure the consent screen, you first need to create an app. Click the enclosed button to start the wizard.
Follow the wizard to configure the *consent screen* according to your company's policies. For more details, refer to [Configure the OAuth consent screen](https://developers.google.com/workspace/guides/configure-oauth-consent) on the official documentation.
Once the configuration is complete, return to the ["Credentials" page](https://console.cloud.google.com/apis/credentials).
### Create the OAuth client
Click the "Create Credentials" link on top, and select "OAuth Client ID".
Configure the client as follows:
* "Application Type": select "Web application"
* "Name": populate with the name of the new client
* "Authorized redirect URIs": leave it blank, as you will fill it in a later step
Once you click "Create" the console will show you a confirmation pop-up containing the client's configuration. Note the *Client ID* and the *Client Secret*.
## Create the Identity provider
Access the *Identity providers* section for the "akamas" realm in the Keycloak administration console, as described on the page [Configure an external identity provider](https://docs.akamas.io/akamas-docs/3.4.0/installing/configure-an-external-identity-provider), and select "Google" to start creating the new provider.
Configure the following fields using the values from the *OAuth client* you just created:
* "Client ID": fill in the id of the client
* "Client Secret": fill in the secret of the client
To complete the configuration, note the "Redirect URI" value and click "Add".
## Complete the app registration
Back to the Google Developer Console, on the ["Credentials" page](https://console.cloud.google.com/apis/credentials), open the newly created client and add the URI from the previous step to the list of "Authorized redirect URIs".
{% hint style="warning" %}
If you change the hostname of the Akamas installation, then you will need to update or add the configured *redirect URI* *registration* for the integration to work correctly.
{% endhint %}
## Configure the default Akamas roles
The final setup step is to instruct Akamas to associate the default roles with the users automatically. This way, users will be added to the default workspace with read and write permissions the first time they log in.
On the Keycloak console, on the provider's details page, navigate to "Mappers":
Now, add the following configurations.
**User role**
* Name: *User role*
* Mapper type: *Hardcoded role*
* Role: *USER*
User Role map
**Default Workspace Read**
* Name: *Default Workspace Read*
* Mapper type: *Hardcoded role*
* Role: *WS\_ac8481d3-d031-4b6a-8ae9-c7b366f027e8\_R*
**Default Workspace Write**
* Name: *Default Workspace Write*
* Mapper type: *Hardcoded role*
* Role: *WS\_ac8481d3-d031-4b6a-8ae9-c7b366f027e8\_W*
## Test the integration
Visit the installation's login page to check that the new authentication method is displayed and works correctly.
