Configuring Synchronization Settings in Google

This section describes how to configure user synchronization settings in Google.

  1. Create a project.
    1. Sign in to the Google Cloud Platform console as a Google Workspace super administrator.
    2. Click the Navigation menu icon at the upper-left corner and go to IAM & Admin > Manage Resources.
    3. On the Manage Resource screen that appears, click CREATE PROJECT.
    4. Specify a name for your project, select the organization in which you want to create a project, and type the parent organization or folder in the Location text box. That resource will be the hierarchical parent of the new project.
    5. Click CREATE.
  2. Enable the Admin SDK API.
    1. On the console, click the Navigation menu icon at the upper-left corner, go to APIs & Services > Library, and locate and click Admin SDK API under Google Workspace.
    2. On the Admin SDK API screen that appears, click ENABLE.
  3. Create a service account for the project and generate a private key file for the service account.
    1. On the console, click the Navigation menu icon at the upper-left corner, go to APIs & Services > Credentials, click CREATE CREDENTIALS, and then select Service account.

      You can also go to IAM & Admin > Service Accounts, and click CREATE SERVICE ACCOUNT.

    2. Specify a name for the service account, and optionally add a description for the service account.

      The service account ID is automatically generated with the specified account name.

    3. Click CREATE and then DONE.

      The newly created service account is displayed in the Service Accounts list.

    4. Click to open the service account, and then click SHOW DOMAIN-WIDE DELEGATION on the DETAILS page.
    5. Select Enable G Suite Domain-wide Delegation.
    6. Type the application name you created for TMWS in the Google Admin console, and click SAVE.

      A client is created for the service account. You can get the client ID on the DETAILS page of the service account or under APIs & Services > Credentials.

    7. Click KEYS.
    8. On the KEYS page that appears, click ADD KEY and select Create new key.

      The Create private key for "<your service account>" screen appears.

    9. Click the JSON key type and click CREATE.

      A private key file in the JSON format is automatically generated and downloaded to your computer. You will need this file when configuring Google as an IdP on TMWS.

    10. Click CLOSE.
  4. Configure domain-wide delegation for the created service account.
    1. Sign in to your Google Admin console.
    2. Go to Security > API controls.
    3. On the API controls screen that appears, click MANAGE DOMAIN WIDE DELEGATION under the Domain wide delegation section.
    4. On the screen that appears, click Add new.
    5. On the Add a new client ID screen that appears, type the client ID of the service account you have created, and then delegate the following scopes in the OAuth scopes text box, separating multiple entries by a comma.
      https://www.googleapis.com/auth/admin.directory.group.member.readonly
      https://www.googleapis.com/auth/admin.directory.group.readonly
      https://www.googleapis.com/auth/admin.directory.user.readonly
      https://www.googleapis.com/auth/admin.directory.user.security
      https://www.googleapis.com/auth/admin.directory.domain
    6. Click AUTHORIZE.

      The newly-created delegation is displayed in the list.