Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

To configure a Google Workspace user sync with Kantega SSO Enterprise, you will first have to create a service account, assign the account privileges, then create an impersonation account for the service account and a role for reading users and groups. Follow the steps described below to prepare your Google Workspace for integrating with a Kantega SSO Connector directory. When these steps are finished, you can go to Kantega SSO and paste the values needed.

Start setup in Kantega SSO Enterprise

To add a Workspace Connector/ User Directory in an Atlassian product, navigate to Kantega SSO Enterprise > Cloud user provisioning. Then add a Google Workspace connector.

The below form should appear:

As shown in the screenshot, you will need for items (which we will grab and make notes of during the setup):

  • The domain of your Google directory with just the domain name like company.com

  • The Google customer ID

  • A JSON key file created on the service account

  • The email address of the impersonation account to be used by the service account for reading the Google APIs

Let’s go to Google to get the setup needed!

Set up service account in Google Cloud

The next step is to create an application and credentials in Google Cloud, which will allow you to complete the form and synchronize users and groups.

Go to Google Cloud at https://console.developers.google.com

Navigate to IAM & Admin > Service Accounts

Enter a Service account name, such as "jira-read"

You do not need to grant access to project or users at this time, just click Done

Next, locate the account you just created in the list of service accounts, and click the three dots from the Action column to expand options. Select Manage key:

Then click the ADD KEY select and choose Create new key:

Click Select JSON and click CREATE.

The JSON private key file will be downloaded to your computer and should be uploaded in the form field JSON key file on the top of this Google GSuite Connector wizard page later.

Go back to the service account and scroll to the right. Copy the OAuth2 Client ID and save it for later.

Assign domain-wide delegation to the Service Account

Assigning domain-wide delegation has been moved to Google Workspace. This guide explains how API clients generally work https://developers.google.com/identity/protocols/oauth2/service-account#delegatingauthority.


Log in to your Google Workspace domain on a super administrator account.

From your Google Workspace domain's Admin console, go to Main menu menu > Security > Access and data control > API Controls.

In the Domain wide delegation pane, select Manage Domain Wide Delegation.

Click Add new

In the Client ID field, enter the service account's Client ID which you saved at the previous section (You can find your service account's client ID in the Service accounts page, listed on the service account you just created)

In the OAuth scopes (comma-delimited URls on the format https://www.googleapis.com/auth/admin.directory.user) field, enter the following:

https://www.googleapis.com/auth/admin.directory.group,https://www.googleapis.com/auth/admin.directory.user

Click Authorize.

You will now see the new API client listed after creation.

Your application now has the authority to make API calls as users in your domain (to impersonate users). When you prepare to make authorized API calls, you specify the user to impersonate.

Create a user account for the service account to impersonate

Navigate back to the directory and click “Add new user”.

Suggested values:

  • First name: jira

  • Last name: read

  • Primary email address: "jira-read@<yourdomain.com>"

You do not need to set a password.

Click ADD NEW USER

Cut & paste the account username into the "Admin account address" and make a note of it as it will be needed again later in Kantega SSO.

Add and assign a read-only security role

Open the side menu in Google Workspace in admin.google.com as a super admin user.

Navigate to Account > Admin roles and click Create new role.

Name the role as something specific like “read users and groups”,. Click CONTINUE

Now you need to choose the correct READ privileges.

Scroll down and select Users > Read and Groups > Read. Then click CONTINUE

Review that you have got the correct privileges. Then click CREATE ROLE.

You will now be navigated to the page of the new role you just created. If not you will find it under Roles.

Click Assign users.

Search for the impersonation account you created earlier. We have chosen to call the account in this example jira-dev-read.

Complete the setup in Kantega SSO Enterprise

Go back to your Atlassian product and to the form you started in the beginning (If you closed that, just start a new one under Kantega SSO Enterprise > Cloud user provisioning, and clicking add provider > Google Workspace).
Paste the values obtained during the setup in Google. You need:

  • The domain of your Google directory with just the domain name like http://company.com

  • The Google customer ID

  • A JSON key file created on the service account

  • The email address of the impersonation account to be used by the service account for reading the Google APIs

You can then add the user directory (which will act like a normal Crowd directory) and start the sync. Once the Crowd user directory has been creates, you can view users, groups and group memberships retrieved from Google Workspace.

  • No labels