This section describes how to configure user synchronization settings in Google.
Procedure
- Create a project.
- Sign in to the Google Cloud Platform console as a Google Workspace super administrator.
- Click the Navigation menu icon at the upper-left corner and go to .
- On the Manage Resource screen that appears, click CREATE PROJECT.
- Specify a name for your project, select the organization in which you want to create a project, and type the parent organization or folder in the Location text box. That resource will be the hierarchical parent of the new project.
- Click CREATE.
- Enable the Admin SDK API.
- On the console, click the Navigation menu icon at the upper-left corner, go to , and locate and click Admin SDK API under Google Workspace.
- On the Admin SDK API screen that appears, click ENABLE.
- Create a service account for the project and generate a private key file for
the service account.
- On the console, click the Navigation menu icon
at the upper-left corner, go to , click CREATE CREDENTIALS, and
then select Service account.You can also go to, and click CREATE SERVICE ACCOUNT.
- Specify a name for the service account, and optionally add a
description for the service account.The service account ID is automatically generated with the specified account name.
- Click DONE.The newly created service account is displayed in the Service Accounts list.
- Click to open the service account, and then copy the client ID ( Unique ID) on the DETAILS page.
- Click KEYS.
- On the KEYS page that appears, click
ADD KEY and select Create new
key.The Create private key for "<your service account>" screen appears.
- Click the JSON key type and click
CREATE.A private key file in the JSON format is automatically generated and downloaded to your computer. You will need this file when configuring Google as an IdP on TMWS.
- Click CLOSE.
- On the console, click the Navigation menu icon
at the upper-left corner, go to , click CREATE CREDENTIALS, and
then select Service account.
- Configure domain-wide delegation for the created service account.
- Sign in to your Google Admin console.
- Go to .
- On the API controls screen that appears, click MANAGE DOMAIN WIDE DELEGATION under the Domain wide delegation section.
- On the screen that appears, click Add new.
- On the Add a new client ID screen that appears,
type the client ID of the service account you have created, and then
delegate the following scopes in the OAuth scopes
text box, separating multiple entries by a comma.
https://www.googleapis.com/auth/admin.directory.group.member.readonly https://www.googleapis.com/auth/admin.directory.group.readonly https://www.googleapis.com/auth/admin.directory.user.readonly https://www.googleapis.com/auth/admin.directory.user.security https://www.googleapis.com/auth/admin.directory.domain
- Click AUTHORIZE.The newly-created delegation is displayed in the list.