See how Ramp uses ConductorOne
ConductorOne

ConductorOne Docs

Google Workspace connector

Integrations with the applications from which ConductorOne pulls identity data are called connectors.

Overview

Google Workspace is a popular cloud directory and SSO solution for enterprises. Google Workspace stores identity and group information for your organization. ConductorOne connects with your Google Workspace instance to sync identities and entitlements.

Availability

General availability. The Google Workspace integration is available to all ConductorOne users.

Capabilities

  • Sync identities from Google Workspace to ConductorOne
  • Entitlements Supported:
    • Google Workspace Groups
    • Google Workspace Roles

Requirements

To connect your Google Workspace environment, you will need:

  • Super Administrator role in ConductorOne
  • Super Admin role in Google Workspace

Integrate your Google Workspace instance

Step 1: Sign in to the Google Cloud Console and Create a New Project

  • As a Google Workspace Super Admin, sign in to https://console.cloud.google.com

  • In the toolbar, click the project select dropdown, and click NEW PROJECT

  • Create a new project for your organization

    • Project Name: Choose any name, e.g. “ConductorOne Integration”
    • Organization/Location: Choose any Organization/Location.
  • After the project is created, make sure the correct project is selected in the drop-down at the top.

Step 2: Enable the Google Admin API

  • In the navigation menu, navigate to » APIs & Services » Library

  • Search for and select Admin SDK API

  • Click Enable

Step 3: Create a Service Account

  • In the navigation menu, navigate to » APIs & Services » Credentials

  • Select CREATE CREDENTIALS » Service Account

  • Under Service account details, fill in the following:

    • Service account name: ConductorOne Integration
    • Service account description: (for example, “Service account for ConductorOne Google Workspace Integration”)
    • Click CREATE AND CONTINUE
  • Under Grant this service account access to a project » Grant the Editor role

  • Under Grant users access to this service account » leave blank

  • Click DONE

Step 4: Get Credentials

  • Navigate back to APIs & Services » Credentials » select the service account you just created

  • Click on the Service Account Email » locate the Unique ID » save this for Step 5

  • On the Service Account Details Page, click the KEYS tab

  • Then click ADD KEY » Create new key

  • Choose JSON » CREATE

  • Keep the downloaded file safe for now, we’ll need it again

Step 5: Add Service Account to Google Workspace

  • Go to https://admin.google.com as a SUPER ADMIN

  • In the navigation menu, select Security » Access and data control »API Controls

  • Click MANAGE DOMAIN WIDE DELEGATION

  • Click Add new

    • Client ID: The saved ID from Step 4
    • OAuth Scopes: Copy and paste one of the following lists of required scopes for your use case:
  • Use the following read-only scopes, if you are not using the Google Workspace integration for provisioning:

    https://www.googleapis.com/auth/admin.directory.user.alias.readonly,https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly,https://www.googleapis.com/auth/admin.directory.group.member.readonly,https://www.googleapis.com/auth/admin.directory.group.readonly,https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/admin.directory.domain.readonly
    
  • If you are using the Google Workspace integration for provisioning Groups and Roles, please use the below adjusted scopes:

    https://www.googleapis.com/auth/admin.directory.user.alias.readonly,https://www.googleapis.com/auth/admin.directory.rolemanagement,https://www.googleapis.com/auth/admin.directory.group.member,https://www.googleapis.com/auth/admin.directory.group,https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/admin.directory.domain.readonly
    
  • Click AUTHORIZE

  • In the navigation menu, select Account » Account Settings

  • Copy Customer ID from this page - you’ll need it later

Step 6: Locate your Primary Domain

  • Using navigation menu on left hand side, click @Account » Domains

  • Click Manage Domains » then under the Primary Domain column » Copy the Domain name for Step 7

Step 7: Integrate ConductorOne to your Google Workspace account

  • Return to ConductorOne » select Integrations » click Google Workspace

  • Fill out the form with the information we’ve collected so far:

    • Customer ID: From Step 5
    • Domain: Your Google Workspace domain from Step 6
    • Administrator Email: Your domain email address (OR any other super admin)
    • Credentials: The contents of the JSON file downloaded in Step 4
  • Click Next to complete the process