Configuring provisioning for Google Workspace

Edit online

Provision users from Verify to a Google Workspace application.

Before you begin

To configure the Google Workspace application for provisioning, you must meet the following prerequisites.
  • A Google Workspace account with administrator access.
  • The Google Workspace Admin SDK API must be enabled.
  • The following parameters to configure user provisioning in Verify.
    • Domain
    • Customer ID
    • Service account email
    • Account email
    • Private key

About this task

Provisioning provides the following features.
Create new users
New users that are created through Verify are also created in the Google Workspace application.
Delete users
Deactivating the user or disabling the user's access to the application through Verify deletes the user in the Google Workspace application.
Modify user profile
Updates made to the user's profile through Verify are pushed to the third-party application.
User suspend and restore
Suspending a user through Verify deactivates the user and restoring the user through Verify activates the user in the Google Workspace application.
User synchronization and remediation
The Google Workspace application supports user synchronization, remediation, and group synchronization features.

User synchronization fetches all the target application users in Verify and matches the fetched users with users in Verify. The adoption policy that is defined on the application specifies the matching attributes for adoption of the reconciled users.

Remediation policy can be configured to remediate user accounts with attribute values that differ between Verify and the target application. Verify supports the following three remediation policies.
  • NONE - Do not remediate non-compliant accounts automatically.
  • ON_SV - Update Verify account attribute values with the target application values.
  • ON_TARGET - Update target application account attribute values with Verify values.

Group synchronization fetches all the target application groups in Verify.

Fine grained entitlement
Fine grained entitlement is supported for the Google Workspace application. Synchronization fetches all Google Workspace applications groups and admin roles. Users can be added to or removed from groups and admin roles.

Procedure

  1. For existing Google Workspace applications on Verify, do the following steps.
    1. Go to your Google Workspace Admin console by using the following URL:
      https://admin.google.com.
    2. Click the navigation menu.
    3. Navigate to Security > Access and data control > API Controls.
    4. Under Domain wide delegation, click MANAGE DOMAIN WIDE DELEGATION.
    5. Edit your Service account and add the following details under OAuth Scopes.
      Group OAuth Scope
      https://www.googleapis.com/auth/admin.directory.group
      Role OAuth Scope
      https://www.googleapis.com/auth/admin.directory.rolemanagement
      Org Unit OAuth Scope
      https://www.googleapis.com/auth/admin.directory.orgunit
    6. Click Authorize.
    7. Navigate to Accounts and copy the Customer ID.
      The Customer ID is required to configure account sync in Verify.
    8. On the Verify application, enter the Customer ID, and click Test Connection.
    9. Save your changes.
  2. Configure Google Workspace for user provisioning.
    1. Log in as an admin user to Google Cloud Platform (GCP) Console by using the following URL:
      https://console.cloud.google.com.
    2. Do one of the following steps.
      • If you have not used the GCP Console before, agree to the terms of service and click Create Project.
      • If you have used GCP Console before, at the top of the screen next to your most recent project name, click the down arrow to open your projects list. Then, click New Project.
    3. In Project Name, enter a meaningful name and click CREATE.
    4. Select your new project and click the navigation menu.
    5. Navigate to API and Services > Library.
    6. Search for Admin SDK and select the Admin SDK option from the search results.
    7. Click ENABLE.
    8. Navigate to IAM and admin > service accounts.
    9. Click CREATE SERVICE ACCOUNT and specify the following settings.
      • Service account name
      • Service account ID
    10. Click CREATE to create your service account.
    11. Click CONTINUE and then click DONE.
    12. Click the navigation menu.
    13. Navigate to API and Services > Credentials.
    14. Click Service account and select your service account.
    15. Under Keys, from the Add Key menu select Create New Key.
    16. Select the JSON radio button and click Create.
    17. Note the following parameters that are required to configure provisioning in Verify.
      Service Account Email
      Use the client_email value from your service account private key file.
      Account Email
      The username of the Google Workspace account that has as a minimum, the 'User Management Admin' and 'Groups Admin' roles. Make sure that the scopes of the roles are All organization unit.

      In Google workspace, when you assign any system or custom roles to a user, that user becomes a 'Delegated admin user'. To manage delegated admin users, the username of the account that has the super admin role must be specified.

      Private Key
      Use the private_key value from your service account private key file.
    18. Go to your Google Workspace Admin console by using the following URL:
      https://admin.google.com.
    19. Click the navigation menu.
    20. Navigate to Security > Access and data control > API Controls.
    21. Under Domain wide delegation, click MANAGE DOMAIN WIDE DELEGATION.
    22. Click Add New and add the following details.
      Client ID
      Provide a service account's client ID. Use the client_id value from the service account private key file.
      User OAuth Scope
      https://www.googleapis.com/auth/admin.directory.user
      Group OAuth Scope
      https://www.googleapis.com/auth/admin.directory.group
      Role OAuth Scope
      https://www.googleapis.com/auth/admin.directory.rolemanagement
      Org Unit OAuth Scope
      https://www.googleapis.com/auth/admin.directory.orgunit
    23. Click Authorize.
    24. Copy the Customer ID.
      The Customer ID is required to configure account sync in Verify. It is the Customer ID of the Google Workspace account.
    25. On the Verify application, enter the Customer ID, and click Test Connection.
    26. Save your changes.