Google Workspace Configuration
1 - Auto provisioning from Oten to Google Workspace
STEP 1: Create a Google Cloud Project
Login to Google Cloud and create a project or chose an existing project. The project name can be "IdP Auto Provisioning" or whatever you prefer.
Create new project

Or Choose a current project

STEP 2: Enable the Admin SDK API
In the
APIs & Servicesclick+ENABLE APIS AND SERVICES

In the
Search for APIs & ServicesenterAdmin SDK API

Click
ENABLE

STEP 3: Create a Service Account
The service account created here will be used to access the Google Workspace user and group information.
In the
IAM and Adminmenu selectService accounts

Click
+CREATE SERVICE ACCOUNTwith suggested service account name:auto-provisioning

For newly created service account click
Actions/dots and selectManage Keys

Click
ADD KEYS->Create New Key.Choose JSON key type thenCREATE


A JSON file with service account credentials will be downloaded to your computer

STEP 4: Copy the Client ID
Navigate to your Service Account and select DETAILS tab > Advanced Settings
In the Domain-wide delegation section copy the Client ID. You will need to grant this Client ID access to the Google Workspace Directory in the next step.

STEP 5: Authorize Service Account on Google Workspace
In the Google Workspace Panel (https://admin.google.com):
Navigate to
Security→Access and data control->API controls

Under the
Domain wide delegationclickMANAGE DOMAIN WIDE DELEGATIONClick
Add newinAPI ClientsPaste the
Client ID(copied from previous step)
Paste the following text into OAuth scopes (comma-delimited)
https://www.googleapis.com/auth/admin.directory.user,https://www.googleapis.com/auth/admin.directory.user.alias,https://www.googleapis.com/auth/admin.directory.group,https://www.googleapis.com/auth/admin.directory.group.member

Click
AUTHORIZE- These scopes grant Service Account read-only access to Google Workspace Directory Users, Groups and Membership.
STEP 6: Retrieve the Primary Email
In Google Workspace (https://admin.google.com), navigate to
Account->Account settingsCopy the
Primary adminemail into the clipboard (upper right area) for use in the next step.

How to set up in IDP
Go to
https://admin.oten.com→ Settings → Auto provisioning → click Add provider
.webp?alt=media&token=8f66487c-9ed4-4d09-bff9-a7692b90a0d3)
In Add provider → select Google Workspace, input primary admin email and upload service account keys (JSON file) → click Add provider

After add Google Workspace provider success → Click Enable Google Workspace
.webp?alt=media&token=f4edfa59-2893-4ffd-8ac2-7d1fc39925ae)
.webp?alt=media&token=849d2917-cc7c-41d4-9aec-59d23f0d33e8)
2 - Auto provisioning from Google Workspace to Oten
Add credential (account service key) and primary admin to Oten Admin
Go to https://admin.oten.com → Settings → Auto provisioning → click Add provider

In Add provider → select Google Workspace, input primary admin email, choose direction and upload service account keys (JSON file) → click Add provider

After add Google Workspace provider success → Click Enable Google Workspace


Google Workspace - the provisioning configuration
During synchronization, the value from the trusted source will overwrite the counterpart in the event of a conflict.

Mapping user Google workspace with Oten
Google user
Oten account
Description
id
(string)
account.external_id
Unique identity of Google
primaryEmail
(string)
account.primary_email(emailName + domain)
user_profile.email
The Oten account primary_email = email_name (the text before @ of Google primary email) + organization.domain.
The Oten user profile email.
isAdmin
(boolean)
user_org_role.role_id
Google is Admin (true)
Oten is
role:org:org-admin:admin
archived
(boolean)
account.status
Google archived = true →
Oten Soft Deleted
suspended
(boolean)
account.status
Google archived = true →
Oten Deleted
suspensionReason
(string)
Output only. Has the reason a user account is suspended either by the administrator or by Google at the time of suspension. The property is returned only if the suspended property is true.
gender
(string)
user_profile.gender
The user profile gender
Google male|female|other|unknow
Oten male|female|other
phones[].primary
(boolean)
If true, this is the user's primary phone number. A user may only have one primary phone number.
phones[].value
(string)
user_profile.phone_number
A human-readable phone number. It may be in any telephone number format.
name.displayName
(string)
user_profile.display_name
The user's display name. Limit: 256 characters.
name.givenName (string)
user_profile.first_name
The user's first name. Required when creating a user account.
name.familyName
(string)
user_profile.last_name
The user's last name. Required when creating a user account.
thumbnailPhotoEtag
(string)
user_profile.picture_url
The user's photo (avatar).
With account status will be mapping to matrix after
Last updated