Sign up free
Workspace Super Admin guide

Setting up Google Workspace SSO with TeachGen AI

For most schools, no setup is required — this page covers the few cases where it is

5 min setup For: Workspace Super Admin Updated 4 May 2026

For most Google Workspace schools, signing in to TeachGen AI requires no setup from your IT team — we configure everything on our side once your school is onboarded. Staff visit app.teachgen.ai, press Sign in with Google, choose their school account, and they're signed in. That's the whole flow.

A small number of schools restrict third-party app access in Google Admin Console. If your sign-in fails with an Access blocked error, the rest of this page is for the IT admin who needs to allowlist TeachGen in your tenant. It's a five-minute job for a Workspace Super Admin.

When

When this page applies

There are two scenarios for Google Workspace schools:

Sign-in works

Staff press Sign in with Google, pick their school account, and they're in. You can stop reading — nothing else is required from your IT team.

Sign-in is blocked

Staff see an Access blocked message from Google. Your Workspace admin has set App access control to Restricted, and TeachGen has not been trusted yet. Follow Steps 1–4 below.

Setup

Before you start

What you'll need

  • Super Admin role in Google Admin Console.
  • About five minutes — this is one allowlist entry, not a full SSO configuration.
  • The TeachGen OAuth Client ID (shown in Step 2 below).
  • Unlike the Microsoft Entra ID setup, there is no per-school secret to generate, share, or rotate — Google's federation flow handles that for us centrally.

Open App access control

1 minute
  1. Sign in to the Google Admin Console as a Super Admin.
  2. From the left menu, choose Security, then Access and data control, then API controls.
  3. In the App access control section, click Manage third-party app access.
Success looks like: you land on the Configured apps list, showing every third-party OAuth and SAML app currently configured for your domain.

Add TeachGen as a configured app

2 minutes
  1. Click Add app, then choose OAuth App Name Or Client ID.
  2. In the search field, paste TeachGen's OAuth Client ID:

Email [email protected] for the current Client ID — we reply within one working day.

  1. Press Search. The matching app appears in the results below.
  2. Tick the box next to TeachGen, then click Select.
Success looks like: a confirmation panel appears showing TeachGen and asking you to choose an access level — you handle that in Step 3.

Set the access level

1 minute

Google offers three access levels. TeachGen requests identity-only scopes (openid, profile, email) — no Drive, Gmail, or Classroom data. Trusted is the right default for most schools.

  1. Choose Trusted: Can access all Google services.
  2. Decide which organisational units the trust applies to. Most schools apply at the top-level OU; large MATs may scope per-school.
  3. Click Continue, review the summary, then click Confirm.
Success looks like: TeachGen now shows in your Configured apps list with an access level of Trusted for the OUs you chose.

Confirm and test

up to 20 minutes
  1. Allow up to 20 minutes for the change to propagate across Google's systems.
  2. Ask one member of teaching or admin staff to visit app.teachgen.ai and press Sign in with Google.
  3. They should choose their school account and be signed in directly — no Access blocked message.
Success looks like: a teacher or admin signs in to TeachGen with their school Google account on the first attempt. No further action is required from your IT team.

Next

What happens next

  1. Anyone in the OUs you trusted in Step 3 can sign in to TeachGen with their Google school account.
  2. Suspending a user in Google Workspace immediately blocks their next TeachGen sign-in — leaver workflows extend to TeachGen automatically.
  3. Your existing Google Workspace security posture (2-Step Verification, context-aware access, session length) applies to TeachGen sign-ins without further configuration.

Maintenance

Is there a renewal step?

No. Unlike Microsoft Entra ID, the Google Workspace path has no per-school secret to generate or rotate. Once TeachGen is trusted in your Configured apps list, it stays trusted until your admin removes it. There's no calendar reminder to set.

Troubleshooting

Staff still see Access blocked after Step 4

Allow up to 20 minutes for the trust to propagate. If it still fails after that, check the Configured apps list shows TeachGen as Trusted at an OU that includes the affected user. App access control is set per OU, so a user in a child OU may need the trust applied at that level explicitly.

Wrong Google account is being used

If staff are signed in to a personal Google account in their browser, the consent screen may use that account by default. Sign out of all Google accounts, or open app.teachgen.ai in an incognito window, then press Sign in with Google and pick the school account.

Sign-in works for some staff but not others

Most often this is an OU-scoping issue. Verify that the trusted access level in Step 3 was applied to all OUs that contain TeachGen users - or apply it at the top-level OU and let it inherit. If the affected users are in a child OU with overrides, set the trust there explicitly.

We changed our minds and want to remove the trust

Open App access control in Google Admin Console, find TeachGen in the Configured apps list, and remove it or change its access level. Sign-ins via Google stop immediately; existing TeachGen sessions persist until they expire on our side. Email [email protected] if you'd like us to invalidate active sessions sooner.

Was this helpful?

Still stuck?

Email support Read the FAQs