Skip to content

Configure outbound provisioning with Google

This guide explains how you can configure Google as an outbound connector in WSO2 Identity Server.

Configure Google Workspace for provisioning

Follow the steps below to learn how you can configure Google Workspace for provisioning.

Before you begin

Learn how to subscribe to Google Workspace in the Google documentation.

  1. Create a service account in Google.

    1. Open the Google developers console and create a new project.

    2. Search for the project you created and click it.

    3. Under IAM & Admin, click Service Accounts.

    4. Click CREATE SERVICE ACCOUNT on the top panel.

    5. Fill in the form to create the service account:

      add-account-name

      • Optionally, assign a role from the list of roles given and click Done to create the service account.

    6. Select your service account and go to its KEYS tab.

    7. From the dropdown, select ADD KEY > Create new key > P12 and click CREATE. The following message will be displayed.

      Note

      The service account's P12 file will be downloaded to your machine. Remember the location and the name of this downloaded file as it is required later on in this guide.

      key-created

    8. From IAM & Admin > Service accounts, take note of the client ID of your service account.

    9. Select the service account and in the DETAILS tab, expand Advanced settings.

    10. Delegate domain-wide authority to the service account.

      Note

      Learn how to do so in the Google documentation.

  2. Delegate domain-wide authority to the service account:

    1. Go to your domain's admin console.

    2. Navigate to Security > Access and data control > API Controls > Domain-wide Delegation.

    3. Do the following:

      1. Clck Add new and paste the client ID of the service account.

      2. Enter the following as the value for scopes. https://www.googleapis.com/auth/admin.directory.user,https://www.googleapis.com/auth/admin.directory.orgunit,https://www.googleapis.com/auth/admin.directory.group

      3. Click Authorize.

  3. Enable the Admin SDK.

    1. Open the Google developers console.

    2. Click the menu icon, and click APIs & Services > Dashboards.

    3. Click Enable APIs & Services.

    4. Search for Admin SDK and click Enable.

Configure the Google outbound connector

Create an organization-level or IdP-level outbound provisioning and enter the following details to configure the Google outbound connector.

Google Domain The name of the Google domain used to provision users.
e.g. mygoogledomain.com
Primary Email Claim Claim URI that will be used to retrieve the primary email address of the created account. This must be an attribute that is available locally in WSO2 Identity Server.
e.g. http://wso2.org/claims/emailaddress
Given Name Claim Claim URI which will be used to retrieve the given name attribute of the user. This must be an attribute that is available locally in WSO2 Identity Server.
e.g. http://wso2.org/claims/givenname
Family Name Claim Claim URI which will be used to retrieve the family name attribute of the user. This must be an attribute that is available locally in WSO2 Identity Server.
e.g. http://wso2.org/claims/lastnname
Service Account Email Email used for authentication.
e.g. [email protected]
Private Key Browse and attach the private key from your local machine. This is the PKCS12 private key generated during service account creation.
Administrator's Email Email of the administrator who owns the service account in the specified Google Domain.
Application Name A name for your application to identify requests made by the Google client.
Google Outbound Provisioning Pattern WSO2 Identity Server uses this pattern to build the user ID of the provisioned user account. Learn moreabout provisioning patterns.
e.g. {UD,UN,TD,IDP}
Google Provisioning Separator Used to separate provisioning pattern attributes of the user ID. Learn more about provisioning patterns
e.g. -(hyphen).