# Google Workspace Configuration {% hint style="info" %} Auto provisioning integrate with Google workspace documentation The google workspace account must be the role and permission: * Permission `resourcemanager.projects.create` * Role `roles/resourcemanager.organizationAdmin` {% endhint %} **STEP 1: Create a Google Cloud Project** Login to [Google Cloud](https://console.cloud.google.com/) and create a project or chose an existing project. The project name can be "IdP Auto Provisioning" or whatever you prefer. *Create new project*

*Or Choose a current project*

#### STEP 2: Enable the Admin SDK API * In the `APIs & Services` click `+ENABLE APIS AND SERVICES`

* In the `Search for APIs & Services` enter `Admin SDK API`

* Click `ENABLE`

#### STEP 3: Create a Service Account The service account created here will be used to access the Google Workspace user and group information. * In the `IAM and Admin` menu select `Service accounts`

* Click `+CREATE SERVICE ACCOUNT` with suggested service account name: `auto-provisioning`

* For newly created service account click `Actions`/dots and select `Manage Keys`

* Click `ADD KEYS` -> `Create New Key.` Choose JSON key type then `CREATE`

* A JSON file with service account credentials will be downloaded to your computer

#### STEP 4: Copy the Client ID Navigate to your Service Account and select `DETAILS` tab > `Advanced Settings` In the `Domain-wide delegation` section copy the `Client ID`. You will need to grant this Client ID access to the Google Workspace Directory in the next step.

#### STEP 5: Authorize Service Account on Google Workspace In the Google Workspace Panel ([https://admin.google.com](https://admin.google.com/)): * Navigate to `Security` → `Access and data control` -> `API controls`

* Under the `Domain wide delegation` click `MANAGE DOMAIN WIDE DELEGATION` * Click `Add new` in `API Clients` * Paste the `Client ID` (copied from previous step) Paste the following text into `OAuth scopes (comma-delimited)` `https://www.googleapis.com/auth/admin.directory.user,https://www.googleapis.com/auth/admin.directory.user.alias,https://www.googleapis.com/auth/admin.directory.group,https://www.googleapis.com/auth/admin.directory.group.member`

* Click `AUTHORIZE` - These scopes grant Service Account read-only access to Google Workspace Directory Users, Groups and Membership. #### STEP 6: Retrieve the Primary Email * In Google Workspace ([https://admin.google.com](https://admin.google.com/)), navigate to `Account` -> `Account settings` * Copy the `Primary admin` email into the clipboard (upper right area) for use in the next step.

### Add credential (account service key) and primary admin to Oten Admin * Go to `https://admin.oten.com` → Settings → **Auto provisioning** → click **Add provider**

* In **Add provider** → select **Google Workspace**, input **primary admin email** and upload **service account keys** (JSON file) → click **Add provider**

* After add **Google Workspace provider** success → Click Enable **Google Workspace**

{% hint style="info" %} **Reference:** Google Workspace API documentation * [Develop on Google Workspace | Google for Developers](https://developers.google.com/workspace/guides/get-started) {% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://oten.gitbook.io/identity-support/integration/provisioning-connector/google-workspace-configuration.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.