> For the complete documentation index, see [llms.txt](https://oten.gitbook.io/identity-support/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://oten.gitbook.io/identity-support/integration/provisioning-connector/google-workspace-configuration.md).

# Google Workspace Configuration

{% hint style="info" %}
Auto provisioning integrate with Google workspace documentation

The google workspace account must be the role and permission:

* Permission `resourcemanager.projects.create`
* Role `roles/resourcemanager.organizationAdmin`
  {% endhint %}

### **1 - Auto provisioning from Oten to Google Workspace**&#x20;

**STEP 1: Create a Google Cloud Project**

Login to [Google Cloud](https://console.cloud.google.com/) and create a project or chose an existing project. The project name can be "IdP Auto Provisioning" or whatever you prefer.

*Create new project*

<figure><img src="/files/hzfqGvKUJEFVereKlPgI" alt=""><figcaption></figcaption></figure>

*Or Choose a current project*

<figure><img src="/files/P9svShgOGT7I0Nu2Dsgg" alt=""><figcaption></figcaption></figure>

#### STEP 2: Enable the Admin SDK API <a href="#step-2-enable-the-admin-sdk-api" id="step-2-enable-the-admin-sdk-api"></a>

* In the `APIs & Services` click `+ENABLE APIS AND SERVICES`

<figure><img src="/files/4dtf8fB8jrZXRUzAZvvW" alt=""><figcaption></figcaption></figure>

* In the `Search for APIs & Services` enter `Admin SDK API`

<figure><img src="/files/tRCW8eyeohQddJBXU6n2" alt=""><figcaption></figcaption></figure>

* Click `ENABLE`

<figure><img src="/files/1tqgy4MblXHyrEeMBwe5" alt=""><figcaption></figcaption></figure>

#### STEP 3: Create a Service Account <a href="#step-3-create-a-service-account" id="step-3-create-a-service-account"></a>

The service account created here will be used to access the Google Workspace user and group information.

* In the `IAM and Admin` menu select `Service accounts`

<figure><img src="/files/GN1rWrbsnJLMvg34FIvS" alt=""><figcaption></figcaption></figure>

* Click `+CREATE SERVICE ACCOUNT` with suggested service account name: `auto-provisioning`

<figure><img src="/files/sYtT5ws6WfBDtJrw1RR3" alt=""><figcaption></figcaption></figure>

* For newly created service account click `Actions`/dots and select `Manage Keys`

<figure><img src="/files/xHCzYgENJCOGiqNMuQ7D" alt=""><figcaption></figcaption></figure>

* Click `ADD KEYS` -> `Create New Key.` Choose JSON key type then `CREATE`

<figure><img src="/files/oEUs4gER0odsQjITEXHc" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/T89qlB0rDHqUdwRgxYaN" alt=""><figcaption></figcaption></figure>

* A JSON file with service account credentials will be downloaded to your computer

<figure><img src="/files/ubTY0UdItDWNHNY8ZhXu" alt=""><figcaption></figcaption></figure>

#### STEP 4: Copy the Client ID <a href="#step-4-copy-the-client-id" id="step-4-copy-the-client-id"></a>

Navigate to your Service Account and select `DETAILS` tab > `Advanced Settings`

In the `Domain-wide delegation` section copy the `Client ID`. You will need to grant this Client ID access to the Google Workspace Directory in the next step.

<figure><img src="/files/9r4RDf8nzv3KZ52ltAaF" alt=""><figcaption></figcaption></figure>

#### STEP 5: Authorize Service Account on Google Workspace <a href="#step-5-authorize-service-account-on-google-workspace" id="step-5-authorize-service-account-on-google-workspace"></a>

In the Google Workspace Panel ([https://admin.google.com](https://admin.google.com/)):

* Navigate to `Security` → `Access and data control` -> `API controls`

<figure><img src="/files/JVENgVmWnBdr6d9GeJQN" alt=""><figcaption></figcaption></figure>

* Under the `Domain wide delegation` click `MANAGE DOMAIN WIDE DELEGATION`
* Click `Add new` in `API Clients`
* Paste the `Client ID` (copied from previous step)

Paste the following text into `OAuth scopes (comma-delimited)`

`https://www.googleapis.com/auth/admin.directory.user,https://www.googleapis.com/auth/admin.directory.user.alias,https://www.googleapis.com/auth/admin.directory.group,https://www.googleapis.com/auth/admin.directory.group.member`&#x20;

<figure><img src="/files/rMd64hIY2DGyOPkq96GX" alt=""><figcaption></figcaption></figure>

* Click `AUTHORIZE` - These scopes grant Service Account read-only access to Google Workspace Directory Users, Groups and Membership.

#### STEP 6: Retrieve the Primary Email <a href="#step-6-retrieve-the-primary-email" id="step-6-retrieve-the-primary-email"></a>

* In Google Workspace ([https://admin.google.com](https://admin.google.com/)), navigate to `Account` -> `Account settings`
* Copy the `Primary admin` email into the clipboard (upper right area) for use in the next step.

<figure><img src="/files/u45zE9XOiWZmAEVZu4Mm" alt=""><figcaption></figcaption></figure>

#### How to set up in IDP <a href="#add-credential-account-service-key-and-primary-admin-to-oten-admin" id="add-credential-account-service-key-and-primary-admin-to-oten-admin"></a>

* Go to `https://admin.oten.com` → Settings → **Auto provisioning** → click **Add provider**

<figure><img src="/files/oxtIA382gCqal0KqhCAo" alt=""><figcaption></figcaption></figure>

* In **Add provider** → select **Google Workspace**, input **primary admin email** and upload **service account keys** (JSON file) → click **Add provider**

<figure><img src="/files/aECoFOr5iEBubU8mkRtI" alt=""><figcaption></figcaption></figure>

* After add **Google Workspace provider** success → Click Enable **Google Workspace**

<figure><img src="/files/IGEoKbddGNTm9vmA91LX" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/SDC6mb3OopNHsZnj6yBE" alt=""><figcaption></figcaption></figure>

### **2 - Auto provisioning from Google Workspace  to Oten**

**Add credential (account service key) and primary admin to Oten Admin**

* Go to [https://admin.oten.com](https://admin.oten.com/) → Settings → **Auto provisioning** → click **Add provider**

<figure><img src="/files/rxamPRqEScQrG75jsN3Y" alt=""><figcaption></figcaption></figure>

* In **Add provider** → select **Google Workspace**, input **primary admin email**, choose **direction** and upload **service account keys** (JSON file) → click **Add provider**

<figure><img src="/files/NgNxKmjeBqrlPXwUxonM" alt=""><figcaption></figcaption></figure>

* After add **Google Workspace provider** success → Click Enable **Google Workspace**

<figure><img src="/files/03Hmzx5TsZVj0jby06J1" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/FHtRzTQKPdk1oFwgyvWx" alt=""><figcaption></figcaption></figure>

#### Google Workspace - the provisioning configuration <a href="#google-workspace-the-provisioning-configuration" id="google-workspace-the-provisioning-configuration"></a>

During synchronization, the value from the trusted source will overwrite the counterpart in the event of a conflict.

<figure><img src="/files/5X9QLgJ2d9Mlv6uF2ea9" alt=""><figcaption></figcaption></figure>

**Mapping user Google workspace with Oten**

| **Google user**                                       | **Oten account**                                                                                                                                                           | **Description**                                                                                                                                                                                                                     |        |       |                                                      |        |                  |
| ----------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ | ----- | ---------------------------------------------------- | ------ | ---------------- |
| <p><code>id</code></p><p>(string)</p>                 | `account.external_id`                                                                                                                                                      | Unique identity of Google                                                                                                                                                                                                           |        |       |                                                      |        |                  |
| <p><code>primaryEmail</code></p><p>(string)</p>       | <ul><li><p><code>account.primary\_email</code></p><p>(<strong>emailName</strong> + <strong>domain</strong>)</p></li><li><code>user\_profile.email</code></li></ul><p> </p> | <ul><li>The Oten account <strong>primary\_email</strong> = <strong>email\_name</strong> (<em>the text before @ of Google primary email</em>) <strong>+ organization.domain.</strong></li><li>The Oten user profile email.</li></ul> |        |       |                                                      |        |                  |
| <p><code>isAdmin</code></p><p>(boolean)</p>           | `user_org_role.role_id`                                                                                                                                                    | <ul><li>Google is Admin (true)</li><li>Oten is <code>role:org:org-admin:admin</code></li></ul>                                                                                                                                      |        |       |                                                      |        |                  |
| <p><code>archived</code></p><p>(boolean)</p>          | `account.status`                                                                                                                                                           | <p><strong>Google</strong> <code>archived = true</code> →</p><p><strong>Oten</strong> <code>Soft Deleted</code></p>                                                                                                                 |        |       |                                                      |        |                  |
| <p><code>suspended</code></p><p>(boolean)</p>         | `account.status`                                                                                                                                                           | <p><strong>Google</strong> <code>archived = true</code> →</p><p><strong>Oten</strong> <code>Deleted</code></p>                                                                                                                      |        |       |                                                      |        |                  |
| <p><code>suspensionReason</code></p><p>(string)</p>   |                                                                                                                                                                            | Output only. Has the reason a user account is suspended either by the administrator or by Google at the time of suspension. The property is returned only if the `suspended` property is `true`.                                    |        |       |                                                      |        |                  |
| <p><code>gender</code></p><p>(string)</p>             | `user_profile.gender`                                                                                                                                                      | <p>The user profile gender</p><p><strong>Google</strong> <code>male                                                                                                                                                                 | female | other | unknow</code></p><p><strong>Oten</strong> <code>male | female | other</code></p> |
| <p><code>phones\[].primary</code></p><p>(boolean)</p> |                                                                                                                                                                            | If `true`, this is the user's primary phone number. A user may only have one primary phone number.                                                                                                                                  |        |       |                                                      |        |                  |
| <p><code>phones\[].value</code></p><p>(string)</p>    | `user_profile.phone_number`                                                                                                                                                | A human-readable phone number. It may be in any telephone number format.                                                                                                                                                            |        |       |                                                      |        |                  |
| <p><code>name.displayName</code></p><p>(string)</p>   | `user_profile.display_name`                                                                                                                                                | The user's display name. Limit: 256 characters.                                                                                                                                                                                     |        |       |                                                      |        |                  |
| `name.givenName` (string)                             | `user_profile.first_name`                                                                                                                                                  | The user's first name. Required when creating a user account.                                                                                                                                                                       |        |       |                                                      |        |                  |
| <p><code>name.familyName</code></p><p>(string)</p>    | `user_profile.last_name`                                                                                                                                                   | The user's last name. Required when creating a user account.                                                                                                                                                                        |        |       |                                                      |        |                  |
| <p><code>thumbnailPhotoEtag</code></p><p>(string)</p> | `user_profile.picture_url`                                                                                                                                                 | The user's photo (avatar).                                                                                                                                                                                                          |        |       |                                                      |        |                  |

With **account status** will be mapping to matrix after

<figure><img src="https://media-cdn.atlassian.com/file/ed50c7cc-eb8b-4f73-bb49-885de45d3dee/image/cdn?allowAnimated=true&#x26;client=6a33d8aa-aa31-42c0-aadd-85f1754351f1&#x26;collection=contentId-313360395&#x26;height=125&#x26;max-age=2592000&#x26;mode=full-fit&#x26;source=mediaCard&#x26;token=eyJhbGciOiJIUzI1NiJ9.eyJpc3MiOiI2YTMzZDhhYS1hYTMxLTQyYzAtYWFkZC04NWYxNzU0MzUxZjEiLCJhY2Nlc3MiOnsidXJuOmZpbGVzdG9yZTpjb2xsZWN0aW9uOmNvbnRlbnRJZC0zMTMzNjAzOTUiOlsicmVhZCJdfSwiZXhwIjoxNzgxMjM2NTcxLCJuYmYiOjE3ODEyMzM2OTEsImFhSWQiOiI3MTIwMjA6YzRiNDk4ZmQtM2VkZC00NGRkLTk2YzUtZTU3NmFiODQ2ZTI1IiwiaHR0cHM6Ly9pZC5hdGxhc3NpYW4uY29tL2FwcEFjY3JlZGl0ZWQiOmZhbHNlLCJhdXRoVHlwZSI6InNlc3Npb24ifQ.zpSgLHxOg1gTbJ7OmnDjE5Cc_ijcxwAkY0knSb1vtiY&#x26;width=769#media-blob-url=true&#x26;id=ed50c7cc-eb8b-4f73-bb49-885de45d3dee&#x26;clientId=6a33d8aa-aa31-42c0-aadd-85f1754351f1&#x26;contextId=contentId-313360395&#x26;collection=contentId-313360395" alt=""><figcaption></figcaption></figure>

&#x20;

{% hint style="info" %}
**Reference:**

Google Workspace API documentation

* [Develop on Google Workspace  |  Google for Developers](https://developers.google.com/workspace/guides/get-started)
  {% endhint %}
