Google Workspace
This guide will show you how to integrate GoodAccess with Google Workspace SSO.
Remember to grant your Google users access permissions to GoodAccess. Users without them won't be able to log in.
Step 1 - Adding a new identity provider
Log in to the GoodAccess Control Panel, and go to Settings > SSO & Identity.
Click + Add provider, enter the Provider name, choose your Identity Provider, and click Continue.
Step 2 - Setting up Single Sign-On with SAML
Log in to the Google Admin console, and go to Apps > Web and mobile apps.
Click Add App, and Add custom SAML app.
1. App details
Give the appplication a name, upload a logo, and click Continue.
2. Google Identity Provider details
Copy the details to GoodAccess - (3) Identity Provider links, and click Continue.
Sign in URL - SSO URL
Entity ID - Entity ID
X509 signing certificate - Certificate
3. Service provider details
Copy the details from GoodAccess - (2) GoodAccess links, and click Continue.
ACS URL - Assertion Consumer Service URL
Entity ID - Entity ID
Start URL - Login URL
Name ID format - UNSPECIFIED
Name ID - Basic Information > Primary email
4. Attribute mapping
Click ADD MAPPING, and add two attributes as follows:
Primary email
"email" (without quotes)
First name
"name" (without quotes)
Click Finish to confirm your settings.
You have now successfully set up your Google Workspace SSO with GoodAccess.
Step 3 (optional) - Setting up SCIM using an API
Since SCIM for Google Workspace is not currently supported for public use, it's necessary to use a combination of Google Apps Script and GoodAccess API Integration for complete user management.
1. Creating a new API Integration
In the GoodAccess Control Panel, go to Settings > API Integration.
Create a new API Integration with the scopes specified below, and securely save the Token for the next step.
Members
Create
Update
Remove
2. Creating the Google Apps Script
Go to Google Apps Script, and click New Project.
Copy the following code snippet and paste it into the code editor in Google Apps Script:
For the code to function correctly, you need to replace the following values in the code:
<DOMAIN_NAME>- The verified domain of your organization in Google Workspace (e.g. goodaccess.com)<PROVIDER_ID>- The Provider ID you obtained in the final step of the GoodAccess SSO configuration form<INTEGRATION_TOKEN>- The Token you obtained when creating the API Integration
var domain = '<DOMAIN_NAME>';
var providerId = '<PROVIDER_ID>';
var integrationToken = '<INTEGRATION_TOKEN>';
var excludedGroups = [
"gcp-logging-monitoring-admins",
];
var excludedPatterns = [
"gcp-*"
];
function syncUsers(){
sendRequest(
getAllUsers(),
getGroups()
)
}
function sendRequest(users, groups) {
var apiUrl = 'https://integration.goodaccess.com/api/v2/google-workspace/sync-users';
// Creating Request payload
var payload = {
'domain': domain,
'users': users,
'groups': groups,
'provider_id': providerId
};
// Setting up details of request
var options = {
'method': 'post',
'contentType': 'application/json',
'headers': {
'authorization': integrationToken
},
'payload': JSON.stringify(payload)
};
// Sending Request
var response = UrlFetchApp.fetch(apiUrl, options);
if (response.getResponseCode() == 200) {
Logger.log('The API request was successfully sent.');
} else {
Logger.log("Error sending API request. Response code:" + response.getResponseCode());
}
}
//Getting all domain groups
function getGroups(){
var workSpaceGroups = AdminDirectory.Groups;
var pageToken;
var members = [];
var groups = {};
var groupsService = workSpaceGroups.list({
domain: domain,
maxResults: 100
});
groupsService.groups.forEach(function(workSpaceGroup) {
var groupEmail = workSpaceGroup.getEmail();
var groupId = workSpaceGroup.id;
var groupName = groupEmail.split("@")[0];
if (excludedGroups.includes(groupName)) {
return;
}
if(excludedPatterns.some(function(pattern) {
var regexPattern = pattern.replace('*', '.*');
var regex = new RegExp("^" + regexPattern + "$");
return regex.test(groupName);
})){
return;
}
members = [];
do {
var response = AdminDirectory.Members.list(groupEmail, {
pageToken: pageToken
});
if (response.members) {
members = members.concat(response.members);
}
pageToken = response.nextPageToken;
} while (pageToken);
if (!groups[groupId]) {
groups[groupId] = {
name: groupName,
members: []
};
}
members.forEach(function(member) {
if (member.email != null) {
groups[groupId].members.push(member.id);
}
});
});
return groups;
}
function getAllUsers() {
var service = AdminDirectory.Users;
var members = {};
var users = service.list({
domain: domain,
maxResults: 100
});
users.users.forEach(function(user) {
members[user.id] = {
email: user.primaryEmail,
name: user.name.fullName
};
});
return members;
}Click + to add a service, and add Admin SDK API.
3. Creating a trigger for the script
In the left menu, go to Triggers, and click + Add Trigger.
Choose which function to run - syncUsers()
Choose which doployment should run - Head
Select event source - Time-driven
Select type of time based trigger - Hour timer
Select hour interval - Every hour
Click Save.
You have now successfully set up Google Workspace SCIM with GoodAccess.
Step 4 - Managing user access
In the application click User access.
Choose who should have access, select ON, and click Save.
Last updated
Was this helpful?