Legacy guide: Google GSuite (API Connector)

To add Workspace Connector/ User Directory, navigate to KSSO > Cloud user provisioning. Then add an Google GSuite connector.

 

The below form should appear. The next step is to create an application and credentials in GSuite, which will allow you to complete the form and synchronize users and groups.

Create a GSuite service account

Open a separate browser tab and log into the GSuite developer console at https://console.developers.google.com

From the top left navigation menu dropdown, select IAM & admin, then Service accounts:

If you don’t currently have a project selected, you will first need to either do so, or create a new one.

 

Once a project has been selected, click “Create Service account” at the top menu.

  • Enter a Service account name, such as "jira-read"

  • Click CREATE

  • You do not need to select any Role

  • Click CONTINUE

  • Click CREATE KEY

  • Click Select JSON and click CREATE. The JSON private key file will be downloaded to your computer and should be uploaded in the form field JSON key file on the top of this Google GSuite Connector wizard page

  • Click CLOSE

  • Click DONE

 

Next, locate the account you just created in the list of service accounts, and click the three dots from the Action column to expand options. Select EDIT.

  • Click SHOW DOMAIN-WIDE DELEGATION and check Enable G Suite Domain-wide Delegation

  • Click SAVE

  • Scroll list of service accounts all the way to the right to see Domain wide delegation column (see image below).
    Click View Client ID and copy the Client ID value to clipboard. You will use it in the next step

Enable API access for the service account

In a separate browser tab, open the main GSuite admin portal https://admin.google.com.

Open the top left main menu and select “Security”

  • Select Advanced settings / Manage API client access

  • In the "Client Name" field, enter the numeric Client ID of your service account (Saved from previous step, or found in https://console.developers.google.com)

  • In One or More API Scopes, enter the following:

    • https://www.googleapis.com/auth/admin.directory.user, https://www.googleapis.com/auth/admin.directory.group

  • Finally, click Authorize.

Create a user account for service account to impersonate

Go back to https://portal.google.com and click the Users icon.

  • Click the "Add new user" button in the middle of the page Suggested values when creating user:

    • First name: jira

    • Last name: read

    • Primary email address: "jira-read@<yourdomain.com>"

  • You do not need to set a password

  • Click "Create"

  • Cut & paste the account username into the "Admin account address" form field in KSSO. Also make a note of it as it will be needed again later.

Add an assign a read-only security role

Go back to https://portal.google.com. From the top left navigation menu, select Account, then Admin Roles.

On Admin roles page, click the CREATE A NEW ROLE button:

  • Enter a name, such as "read users and groups"

  • Click Create

  • Scroll down to Admin API Privileges

  • Select Users / Read and Groups / Read.

  • Click Save

  • Click Admins tab, then Assign admins button.

Then select the user account created in step 3, click Confirm Assignment.

You should now have everything you need to complete the form in KSSO. Press Save when done and if KSSO can successfully connect to GSuite and read from the directory, you should be prompted to create a user directory. Otherwise, review the error message:

Once the Crowd User Directory has been created, you can view the users, groups and group memberships retrieved from GSuite: