It seems to be easy to add single sign-on for SAML applications, so that users can authenticate with our third-party corporate applications. I am not, however, seeing a way to add single sign-on for our custom OIDC applications. Over the years we've built up a significant number of internal applications that use OIDC for their authenticate. How can we add these third-party applications into Google Workspace so that our users can authenticate using Google Workspace as their OIDC identity provider? We want to be able to do things like control access to the apps using Workspace Groups, and apply conditional-access policies to these custom OIDC applications.

Right now we're achieving all of this with our third-party IdP. But, we're trying to migrate away from this IdP and do everything in Google Workspace.