Google Workspace API key

Use this task to provision users from Verify to a Google Workspace application.

Table of Contents Show

Before you begin
About this task

Before you begin

To configure the Google Workspace application for provisioning, you must meet the following prerequisites.

A Google Workspace account with administrator access.
The Google Workspace Admin SDK API must be enabled.
The following parameters to configure user provisioning in Verify.
- Domain
- Customer ID
- Service account email
- Account email
- Private key

About this task

Provisioning provides the following features.Create new usersNew users that are created through Verify are also created in the Google Workspace application.Delete usersDeactivating the user or disabling the user's access to the application through Verify deletes the user in the Google Workspace application.Modify user profileUpdates made to the user's profile through Verify are pushed to the third-party application.User suspend and restoreSuspending a user through Verify deactivates the user and restoring the user through Verify activates the user in the Google Workspace application.User synchronization and remediationThe Google Workspace application supports user synchronization, remediation, and group synchronization features.

User synchronization fetches all the target application users in Verify and matches the fetched users with users in Verify. The adoption policy that is defined on the application specifies the matching attributes for adoption of the reconciled users.

Remediation policy can be configured to remediate user accounts with attribute values that differ between Verify and the target application. Verify supports the following three remediation policies.

NONE - Do not remediate non-compliant accounts automatically.
ON_SV - Update Verify account attribute values with the target application values.
ON_TARGET - Update target application account attribute values with Verify values.

Group synchronization fetches all the target application groups in Verify.

Fine grained entitlementFine grained entitlement is supported for the Google Workspace application. Synchronization fetches all Google Workspace applications groups. Users can be added to or removed from groups.

Procedure

For existing Google Workspace applications on Verify, do the following steps.
1. Go to your Google Workspace Admin console by using the following URL:
  https://admin.google.com.
2. Click the navigation menu.
3. Navigate to Security > API Controls.
4. Under Domain wide delegation, click MANAGE DOMAIN WIDE DELEGATION.
5. Edit your Service account and add the following details under OAuth Scopes.
  Group OAuth Scopehttps://www.googleapis.com/auth/admin.directory.groupRole OAuth Scopehttps://www.googleapis.com/auth/admin.directory.rolemanagementOrg Unit OAuth Scopehttps://www.googleapis.com/auth/admin.directory.orgunit
6. Click Authorize.
7. Navigate to Accounts and copy the Customer ID.
  The Customer ID is required to configure account sync in Verify.
8. On the Verify application, enter the Customer ID, and click Test Connection.
9. Save your changes.
Configure Google Workspace for user provisioning.
1. Log in as an admin user to Google Cloud Platform (GCP) Console by using the following URL:
  https://console.cloud.google.com.
2. Do one of the following steps.
  - If you have not used the GCP Console before, agree to the terms of service and click Create Project.
  - If you have used GCP Console before, at the top of the screen next to your most recent project name, click the down arrow to open your projects list. Then, click New Project.
3. In Project Name, enter a meaningful name and click CREATE.
4. Select your new project and click the navigation menu.
5. Navigate to API and Services > Library.
6. Search for Admin SDK and select the Admin SDK option from the search results.
7. Click ENABLE.
8. Navigate to IAM and admin > service accounts.
9. Click CREATE SERVICE ACCOUNT and specify the following settings.
  - Service account name
  - Service account ID
10. Click CREATE to create your service account.
11. Click CONTINUE and then click DONE.
12. Click the navigation menu.
13. Navigate to API and Services > Credentials.
14. Click Service account and select your service account.
15. Under Keys, from the Add Key menu select Create New Key.
16. Select the JSON radio button and click Create.
17. Note the following parameters that are required to configure provisioning in Verify.
  Service Account EmailUse the client_email value from your service account private key file.Account EmailThe username of the Google Workspace account that has as a minimum, the 'User Management Admin' and 'Groups Admin' roles. Make sure that the scopes of the roles are All organization unit.
  In Google workspace, when you assign any system or custom roles to a user, that user becomes a 'Delegated admin user'. To manage delegated admin users, the username of the account that has the super admin role must be specified.
  
  Private KeyUse the private_key value from your service account private key file.
18. Go to your Google Workspace Admin console by using the following URL:
  https://admin.google.com.
19. Click the navigation menu.
20. Navigate to Security > API Controls.
21. Under Domain wide delegation, click MANAGE DOMAIN WIDE DELEGATION.
22. Click Add New and add the following details.
  Client IDProvide a service account's client ID. Use the client_id value from the service account private key file.User OAuth Scopehttps://www.googleapis.com/auth/admin.directory.userGroup OAuth Scopehttps://www.googleapis.com/auth/admin.directory.groupRole OAuth Scopehttps://www.googleapis.com/auth/admin.directory.rolemanagementOrg Unit OAuth Scopehttps://www.googleapis.com/auth/admin.directory.orgunit
23. Click Authorize.
24. Copy the Customer ID.
  The Customer ID is required to configure account sync in Verify. It is the Customer ID of the Google Workspace account.
25. On the Verify application, enter the Customer ID, and click Test Connection.
26. Save your changes.