Google Identity

How to configure SSO with Google Identity

Getting Started

There are a few things to be aware of before configuring SSO for your account:

Provisioning Users

When a user who does not already exist in your Crosschq account logs in for the first time via SSO, we will automatically create a Crosschq account for them, and we will give them Viewer permissions (this is the lowest level of account permissions in the application). A Crosschq administrator can change user permissions later within Crosschq if needed.

Users who already exist in your Crosschq account will keep the permissions that were already assigned to them.

Duplicate Users

Users who have existing Crosschq accounts need to log in via SSO using their existing Crosschq email address. If a user logs in with an email address that we do not recognize, we will create a new account for them, which could lead to users having multiple Crosschq accounts.

If your users’ SSO email addresses do not match their Crosschq email addresses, be sure to add and verify their SSO email addresses to Crosschq before they attempt to log in via SSO.

If any members of your team inadvertently create duplicate Crosschq user accounts, please reach out to for assistance resolving the issue. 

Password Deletion

Once SSO is fully enabled for your organization's Crosschq account we will completely remove any existing Crosschq passwords from our database. If you decide at a later date to remove the SSO integration, all users will need to reset their passwords.

Deactivating Users

Deactivating a user in Azure does not deactivate their user account in Crosschq. Crosschq user sessions are set to expire after 24 hours, so a user may still be able to access Crosschq during that time period.

To immediately prevent users from being able to log into Crosschq, we recommend deactivating the user account in Crosschq at the same time you deactivate a user in Google. 

How to configure SSO with Google Identity

Initially, your organization should soft-enable SSO. This will put your Crosschq account in a hybrid state in which users can log in either using SSO or through the regular Crosschq login page using an email address and password.

This allows your organization to test SSO without inadvertently locking out users if there’s a problem with the setup.

Once your organization has confirmed SSO is behaving as expected, you can flip the switch within Crosschq to fully enable SSO. At that point, SSO is your organization’s only way of logging into Crosschq.

Follow the steps below to set up Google Identity in your organization:

Log into your Crosschq administrator account and go to Organization Settings > Security > Authentication > locate the Single Sign-On section and click Begin Configuration.

Use the drop-down menu to select Google Identity and click Sign In with Google.

A green alert will appear confirming that you successfully activated Google Identity and the connection status will be updated to In Testing (soft-enabled).

We recommend keeping your account in a soft-enabled state only as long as is necessary to test SSO functionality. While you are in this soft-enabled state, you will see your Single Sign-On Status reflected as In testing

Note: In soft-enabled mode, users can authenticate either via SSO or with their username and password for Crosschq,  However, users cannot switch back and forth. Once a user has logged in via SSO they can only use SSO going forward.

Once the organization hard enables SSO, ALL users must use SSO to authenticate.

Finalize Configuration and Move to Fully Enabled State

You can fully enable SSO by checking the box and clicking Save Changes:

Then within the pop-up window, select the button to fully enable SSO. Your Single Sign-On Status will update to Configured.

Signing into Crosschq with Google Identity

In the Crosschq login page, click the login with single sign-on (SSO) link 

Enter your email and click Sign In with Google.