Yesterday we set up a new Enterprise SSO connection for one of our customers that uses “Google Apps for Work” as their IdP. This was done by going to our dashboard and performing the following steps:
- Click Connections > Enterprise
- Click ‘+’ next to Google Apps to create a new connection
- Enter the customer’s domain for home-realm discovery.
- Give the resultant link to the IT administrator for our customer
- Wait until the administrator clicks the link and allows access for our app.
- Enable our client for that connection.
Unfortunately, what appeared when the IT administrator clicked the link in step (5) and entered his credentials was the following screen:
![App isn’t verified]
We were able to continue on because he trusts us, but that trust certainly took a hit as we attempted to get his users signed up to our web service because we didn’t have a good answer to why this screen appeared. Now we want to get verified in order to prevent our next customer from having to go through this experience.
After a little bit of searching, we found this blog post that explained this is a heightened piece of security Google put in place as a result of a Google Apps phishing attack earlier this year. We have no qualms with Google’s the desire to keep its users safe, so we filled in the requirements from this help page, and then filled in this form to begin the process.
We filled it in stating we needed the following scopes from “Google Sign-In” listed here:
Today, we got the following email back from Google stating we don’t need to be verified:
![Verification Not Needed]
So given the above, we’re confused. How are we supposed to verify a Google Apps for Work connection with Auth0 for our customers? Our current thought process is that we have the scopes wrong and we should repeat the verification process, but we don’t know which scopes to specify. The tutorial for Google Apps for Work doesn’t reference this workflow. Is it outdated? incomplete? something else? bueller?