Google Workspace Configuration

Auto provisioning integrate with Google workspace documentation

The google workspace account must be the role and permission:

  • Permission resourcemanager.projects.create

  • Role roles/resourcemanager.organizationAdmin

STEP 1: Create a Google Cloud Project

Login to Google Cloud and create a project or chose an existing project. The project name can be "IdP Auto Provisioning" or whatever you prefer.

Create new project

Or Choose a current project

STEP 2: Enable the Admin SDK API

  • In the APIs & Services click +ENABLE APIS AND SERVICES

  • In the Search for APIs & Services enter Admin SDK API

  • Click ENABLE

STEP 3: Create a Service Account

The service account created here will be used to access the Google Workspace user and group information.

  • In the IAM and Admin menu select Service accounts

  • Click +CREATE SERVICE ACCOUNT with suggested service account name: auto-provisioning

  • For newly created service account click Actions/dots and select Manage Keys

  • Click ADD KEYS -> Create New Key. Choose JSON key type then CREATE

  • A JSON file with service account credentials will be downloaded to your computer

STEP 4: Copy the Client ID

Navigate to your Service Account and select DETAILS tab > Advanced Settings

In the Domain-wide delegation section copy the Client ID. You will need to grant this Client ID access to the Google Workspace Directory in the next step.

STEP 5: Authorize Service Account on Google Workspace

In the Google Workspace Panel (https://admin.google.com):

  • Navigate to SecurityAccess and data control -> API controls

  • Under the Domain wide delegation click MANAGE DOMAIN WIDE DELEGATION

  • Click Add new in API Clients

  • Paste the Client ID (copied from previous step)

Paste the following text into OAuth scopes (comma-delimited)

https://www.googleapis.com/auth/admin.directory.user,https://www.googleapis.com/auth/admin.directory.user.alias,https://www.googleapis.com/auth/admin.directory.group,https://www.googleapis.com/auth/admin.directory.group.member

  • Click AUTHORIZE - These scopes grant Service Account read-only access to Google Workspace Directory Users, Groups and Membership.

STEP 6: Retrieve the Primary Email

  • In Google Workspace (https://admin.google.com), navigate to Account -> Account settings

  • Copy the Primary admin email into the clipboard (upper right area) for use in the next step.

Add credential (account service key) and primary admin to Oten Admin

  • Go to https://admin.oten.com → Settings → Auto provisioning → click Add provider

  • In Add provider → select Google Workspace, input primary admin email and upload service account keys (JSON file) → click Add provider

  • After add Google Workspace provider success → Click Enable Google Workspace

Reference:

Google Workspace API documentation

PreviousProvisioning connectorNextUnderstand SSO flow

Last updated