Legacy guide: Google GSuite (API Connector)
To add Workspace Connector/ User Directory, navigate to KSSO > Cloud user provisioning. Then add an Google GSuite connector.
The below form should appear. The next step is to create an application and credentials in GSuite, which will allow you to complete the form and synchronize users and groups.
Create a GSuite service account
Open a separate browser tab and log into the GSuite developer console at https://console.developers.google.com
From the top left navigation menu dropdown, select IAM & admin, then Service accounts:
If you don’t currently have a project selected, you will first need to either do so, or create a new one.
Once a project has been selected, click “Create Service account” at the top menu.
Enter a Service account name, such as "jira-read"
Click CREATE
You do not need to select any Role
Click CONTINUE
Click CREATE KEY
Click Select JSON and click CREATE. The JSON private key file will be downloaded to your computer and should be uploaded in the form field JSON key file on the top of this Google GSuite Connector wizard page
Click CLOSE
Click DONE
Next, locate the account you just created in the list of service accounts, and click the three dots from the Action column to expand options. Select EDIT.
Click SHOW DOMAIN-WIDE DELEGATION and check Enable G Suite Domain-wide Delegation
Click SAVE
Scroll list of service accounts all the way to the right to see Domain wide delegation column (see image below).
Click View Client ID and copy the Client ID value to clipboard. You will use it in the next step
Enable API access for the service account
In a separate browser tab, open the main GSuite admin portal https://admin.google.com.
Open the top left main menu and select “Security”
Select Advanced settings / Manage API client access
In the "Client Name" field, enter the numeric Client ID of your service account (Saved from previous step, or found in https://console.developers.google.com)
In One or More API Scopes, enter the following:
https://www.googleapis.com/auth/admin.directory.user, https://www.googleapis.com/auth/admin.directory.group
Finally, click Authorize.
Create a user account for service account to impersonate
Go back to https://portal.google.com and click the Users icon.
Click the "Add new user" button in the middle of the page Suggested values when creating user:
First name: jira
Last name: read
Primary email address: "jira-read@<yourdomain.com>"
You do not need to set a password
Click "Create"
Cut & paste the account username into the "Admin account address" form field in KSSO. Also make a note of it as it will be needed again later.
Add an assign a read-only security role
Go back to https://portal.google.com. From the top left navigation menu, select Account, then Admin Roles.
On Admin roles page, click the CREATE A NEW ROLE button:
Enter a name, such as "read users and groups"
Click Create
Scroll down to Admin API Privileges
Select Users / Read and Groups / Read.
Click Save
Click Admins tab, then Assign admins button.
Then select the user account created in step 3, click Confirm Assignment.
You should now have everything you need to complete the form in KSSO. Press Save when done and if KSSO can successfully connect to GSuite and read from the directory, you should be prompted to create a user directory. Otherwise, review the error message:
Once the Crowd User Directory has been created, you can view the users, groups and group memberships retrieved from GSuite: