Setup Google Workspace
Before you begin
To configure the Google Workspace application for provisioning (or sending emails), you need the following.
A Google Workspace account with administrator access.
The Google Workspace
Admin SDK
API must be enabled.The following parameters to configure user provisioning in OnLink - see step by step instructions below.
Service account email
Account email
Private key
Step by step procedure to connect to Google Workspace
Log in as an admin user to Google Cloud Platform (GCP) Console by using the following URL: https://console.cloud.google.com.
Do one of the following steps.
If you have not used the GCP Console before, agree to the terms of service and click Create Project.
If you have used GCP Console before, at the top of the screen next to your most recent project name, click the down arrow to open your projects list. Then, click New Project. In Project Name, enter a meaningful name and click CREATE.
Select your new project and click the navigation menu.
Navigate to API and Services > Library. Search for Admin SDK and select the Admin SDK option from the search results. Click ENABLE.
Navigate to IAM and admin > service accounts. Click CREATE SERVICE ACCOUNT and specify the following settings.
Service account name
Service account ID
Click CREATE to create your service account. Click CONTINUE and then click DONE.
Click the navigation menu. Navigate to API and Services > Credentials.
Click Service account and select your service account.
Under Keys, from the Add Key menu select Create New Key. Select the JSON radio button and click Create.
Note the following parameters that are required to configure provisioning in OnLink.
Service Account Email - Use the
client_email
value from your service accountprivate key
file.Account Email - this is the email of the admin who logged in to create the service account. The admin should have as a minimum, the 'User Management Admin' and 'Groups Admin' roles. Make sure that the scopes of the roles are All organization unit. If possible, use a shared email here to ensure continuity in case one person leaves your org.
Private Key - Use the
private_key
value from your service accountprivate key
file. Copy everything from and including -----BEGIN PRIVATE KEY----- to -----END PRIVATE KEY-----\n without the double quotes e.g.-----BEGIN PRIVATE KEY-----\nMIIEvgIBADANBgkqhkigEAAoIBAQC5DdC8GNNeyVik\nryiee...sr47P8/fghv5Lxukpq\nGnEiHn5otefat1FuUnmMJ8j/\n-----END PRIVATE KEY-----\n
Go to your Google Workspace Admin console by using the following URL: https://admin.google.com.
Click the navigation menu. Navigate to Security > Access and data control > API Controls.
Under Domain wide delegation, click MANAGE DOMAIN WIDE DELEGATION.
Click Add New and add the following details.
Client ID - Provide a service account's client ID. Use the client_id value from the service account private key file.
User OAuth Scope https://www.googleapis.com/auth/admin.directory.user
Group OAuth Scope https://www.googleapis.com/auth/admin.directory.group
Role OAuth Scope https://www.googleapis.com/auth/admin.directory.rolemanagement
Org Unit OAuth Scope https://www.googleapis.com/auth/admin.directory.orgunit
Gmail Send (only needed if using to send emails) https://www.googleapis.com/auth/gmail.sendClick Authorize and save your changes.
Here’s a Google link outlining the above for your reference: https://developers.google.com/workspace/guides/create-credentials