Skip to main content

Google Workspace

This connectivity package provides support for governing and managing Google Workspace instances. It allows you to register and onboard any number of Google Workspace instances. You can load information about users, groups, group members, and relations between nested groups. The connector is based on the REST connector. See the REST section for the full description of tabs, fields, and configuration options.

Supported objects and operations

The Google Workspace collector enables the import of access rights data. Only full import is supported.

System objectsOmada Identity Data ModelOperations
Users-Read
Groups-Read
Group members-Read
Parent/child relations between nested groups-Read

Minimum required permissions

You should have access to Google Cloud Platform (GCP) and Google Workspace, including relevant permissions. You can create a new GCP account at https://console.cloud.google.com/freetrial.

Implementation notes

None.

Network requirements

None.

Prerequisites

Performing the initial configuration

Perform the following configuration steps to establish the correct connection with Omada Identity.

  1. Assign members. Once you log into GCP with your account, in the left-hand side menu, select the menu item IAM & Admin --> IAM. Use the ADD button on top to add additional members and assign appropriate roles.

  2. Set-up an Organization. From the IAM & Admin menu select the Identity & Organization menu item. Under Cloud Identity, select SIGN UP and follow the set-up guide:

    1. Create a Google Identity Account with your domain and click Done.
    2. Verify the domain ownership and click Done.
    3. Create Users and click Done.

  3. Verify that your Organization is visible in the console. In the example below, the Organization is set to Omada.net:

    Google

  4. Create a project. Create a project that belongs to an organization.

    Google2

  5. Enable required APIs:

    1. Go to the API Console: https://console.developers.google.com
    2. Select the project created earlier.
    3. Click ENABLE APIS AND SERVICES.
    4. Search for and enable as a minimum as the three APIs below:
      • Admin SDK
      • Identity and Access Management (IAM) API
      • Cloud Identity API

  6. Create an App and configure the OAuth consent screen before setting up any service accounts.

    1. Provide a name and set the user type as Internal.
    2. Add relevant scopes for the APIs previously enabled, if they are not already listed.

    Google3

    1. Specify which domains are allowed to authenticate via OAuth:

    Google4

  7. Verify that the domain you want to integrate with is on the list of allowed domains:

    Google5

Set-up Service Accounts

To connect to Google Workspace, at least one Service Account is required. Select a project for the organization, you want to connect to.

Google6

  1. Go to the admin console, make sure you are in the right project, select the Service
  2. Accounts menu.
  3. Click CREATE SERVICE ACCOUNT.
  4. Provide name, ID, and description. Click Create.
  5. Assign a correct role. Click Continue.
  6. The next step is optional and you can just skip it by clicking Done.

Assign Domain wide delegation to Service Account

To allow the service account to access Google Workspace (via the Admin API), you must enable Domain wide delegation to the service account you just created. For more details on how to set-up Domain wide delegation in the admin console, see the following article: https://support.google.com/a/answer/162106.

  1. Find your new Service Account and click Edit on the context menu.

  2. Check the Enable Google Workspace Domain-wide Delegation box.

  3. Create a key by clicking ADD KEY and select Create new key.

  4. Select JSON.

  5. Click Create.

  6. Click Close (you will need the file later for system onboarding in Omada Identity).

  7. Click SAVE.

  8. A new Client ID is generated for the Service Account.

  9. Click View Client ID.

  10. Copy the Client ID, as you will need this in later.

  11. Go to the Admin Console, click the context menu in the upper right-hand corner, and select Security --> API Controls:

    Google7

  12. Click on MANAGE DOMAIN WIDE DELEGATION,

  13. Select Add new to define the scopes for the previously created Client ID (Service Account),

  14. Fill in the Client ID and the OAuth scopes (comma separated),

  15. Click Authorize,

  16. The Client ID and OAuth scopes are now added to the list.

  17. The scopes which provides access to user, group, and role management are listed below. However, refer to the Google API reference for a complete list: https://developers.google.com/admin-sdk/directory

Creating a new Admin user

You need to create or assign a user as a Super Admin in Google Workspace, or you need to create a new Admin role and assign appropriate API privileges (corresponding to the scopes above). This user is used for impersonation as the service account, they cannot be an admin in Google Workspace. In consequence, even though you assign Domain Wide Delegation to the service account, and you define the client ID of the service account with appropriate scopes, you still need to specify an admin user in the call to the Admin SDK (subject = admin user).

  1. Go to the Admin Console and select Users.

  2. Click Add new user.

  3. Fill out the required fields:

    Google8

  4. Click ADD NEW USER.

  5. Click DONE.

  6. Continue with the next step – assign the Admin Role.

Assigning the Admin role

  1. Go to the Admin Console and select Admin roles.

  2. Click the Super Admin role to edit.

  3. Click Assign role.

  4. Find and select the new Admin user created earlier.

    Google9

  5. Click ASSIGN ROLE.

Now you are ready to perform System Onboarding in Omada Identity.