LogoLogo
GoodAccess WebsiteRequest Free TrialDownload App
  • Getting Started
    • 1. What is GoodAccess?
    • 2. Architecture Overview
    • 3. Sign up for Free Trial
    • 4. Download App & Connect
  • 🖥️Configuration guides
    • Features
      • Zero Trust Access Control
        • Access Cards
        • Device Posture Check
        • Device Approval
        • Geo Restrictions
      • API Integration
        • API Reference
          • Members
          • Groups
          • Systems
          • Access Cards
          • Relations
          • Gateways
          • Logs
        • Acronis Integration
      • SIEM Integration
      • SSO/SCIM
        • Auth0
        • Cisco Duo
        • Google Workspace
        • JumpCloud
        • Microsoft Entra ID
        • Okta
        • OneLogin
        • Ping Identity
        • Universal (SAML)
      • MFA
      • Passkeys
      • MSI deployment
      • Threat Blocker
      • Custom Domain Blocking
      • DNS Management
      • Split Tunneling
      • Port Forwarding
    • Branch Connector
      • Cisco
      • Cisco Meraki
      • FortiGate
      • MikroTik
      • SonicWall
      • UniFi USG
      • Zyxel Nebula Control Center
      • Other supported routers and firewalls
    • Cloud Connector
      • AWS
      • Google Cloud
      • Microsoft Azure
      • Other Public Cloud providers
    • IP whitelisting
      • APACHE Web Server
      • AWS VPC
      • Azure (Office 365)
      • Google Cloud
      • Google Workspace
      • Magento
      • Microsoft IIS
      • NGINX
        • Domain
        • Subdomain
        • URL
      • OpenCart
      • PHP
      • PHPMyAdmin
      • Pipedrive
      • SalesForce
      • SSH server
      • WordPress
      • Zoho CRM
    • Linux
      • DEB repository
      • RPM repository
      • Manual installation
      • Linux Troubleshooting
  • 🆘FAQ & Troubleshooting
    • FAQ
      • Business
      • Technical
    • Troubleshooting
  • 📓Product Changelog
    • Windows
    • macOS
Powered by GitBook
On this page
  • Step 1 - Adding a new identity provider
  • Step 2 - Setting up Single Sign-On with SAML
  • 1. App details
  • 2. Google Identity Provider details
  • 3. Service provider details
  • 4. Attribute mapping
  • Step 3 (optional) - Setting up SCIM using an API
  • 1. Creating a new API Integration
  • 2. Creating the Google Apps Script
  • 3. Creating a trigger for the script
  • Step 4 - Managing user access

Was this helpful?

  1. Configuration guides
  2. Features
  3. SSO/SCIM

Google Workspace

This guide will show you how to integrate GoodAccess with Google Workspace SSO.

PreviousCisco DuoNextJumpCloud

Last updated 2 months ago

Was this helpful?

This feature is available in the Premium plan and higher.

Remember to to GoodAccess. Users without them won't be able to log in.

Step 1 - Adding a new identity provider

Click + Add provider, enter the Provider name, choose your Identity Provider, and click Continue.

Step 2 - Setting up Single Sign-On with SAML

Log in to the , and go to .

Click Add App, and Add custom SAML app.

1. App details

Give the appplication a name, upload a logo, and click Continue.

2. Google Identity Provider details

Copy the details to GoodAccess - (3) Identity Provider links, and click Continue.

  • Sign in URL - SSO URL

  • Entity ID - Entity ID

  • X509 signing certificate - Certificate

3. Service provider details

Copy the details from GoodAccess - (2) GoodAccess links, and click Continue.

  • ACS URL - Assertion Consumer Service URL

  • Entity ID - Entity ID

  • Start URL - Login URL

  • Name ID format - UNSPECIFIED

  • Name ID - Basic Information > Primary email

4. Attribute mapping

Click ADD MAPPING, and add two attributes as follows:

Google Directory attributes
App attributes

Primary email

"email" (without quotes)

First name

"name" (without quotes)

Click Finish to confirm your settings.

If you want to set up SCIM, save the Provider ID for the next step, and click Submit.

If you don't want to set up SCIM, skip the next step in GoodAccess, and click Submit to finish the configuration.

You have now successfully set up your Google Workspace SSO with GoodAccess.

Step 3 (optional) - Setting up SCIM using an API

Since SCIM for Google Workspace is not currently supported for public use, it's necessary to use a combination of Google Apps Script and GoodAccess API Integration for complete user management.

1. Creating a new API Integration

  • Members

    • Create

    • Update

    • Remove

2. Creating the Google Apps Script

Copy the following code snippet and paste it into the code editor in Google Apps Script:

For the code to function correctly, you need to replace the following values in the code:

  • <DOMAIN_NAME> - The verified domain of your organization in Google Workspace (e.g. goodaccess.com)

  • <PROVIDER_ID> - The Provider ID you obtained in the final step of the GoodAccess SSO configuration form

  • <INTEGRATION_TOKEN> - The Token you obtained when creating the API Integration

var domain            = '<DOMAIN_NAME>';
var providerId        = '<PROVIDER_ID>';
var integrationToken  = '<INTEGRATION_TOKEN>';
var excludedGroups    = [
  "gcp-logging-monitoring-admins",
];

var excludedPatterns  = [
  "gcp-*"
];

function syncUsers(){
  sendRequest(
    getAllUsers(),
    getGroups()
  )
}
function sendRequest(users, groups) {
  var apiUrl = 'https://integration.goodaccess.com/api/v2/google-workspace/sync-users';
  
  // Creating Request payload
  var payload = {
    'domain': domain,
    'users': users,
    'groups': groups,
    'provider_id': providerId
  };
  
  // Setting up details of request
  var options = {
    'method': 'post',
    'contentType': 'application/json',
    'headers': {
      'authorization': integrationToken
    },
    'payload': JSON.stringify(payload)
  };
  
  // Sending Request
  var response = UrlFetchApp.fetch(apiUrl, options);
  if (response.getResponseCode() == 200) {
    Logger.log('The API request was successfully sent.');
  } else {
    Logger.log("Error sending API request. Response code:" + response.getResponseCode());
  }
}

//Getting all domain groups
function getGroups(){
    var workSpaceGroups = AdminDirectory.Groups;
    var pageToken;
    var members = [];
    var groups = {};

    var groupsService = workSpaceGroups.list({
      domain: domain, 
      maxResults: 100 
    });

    groupsService.groups.forEach(function(workSpaceGroup) {
      var groupEmail = workSpaceGroup.getEmail();
      var groupId    = workSpaceGroup.id;
      var groupName  = groupEmail.split("@")[0];

      if (excludedGroups.includes(groupName)) {
        return;
      }


    if(excludedPatterns.some(function(pattern) {
      var regexPattern = pattern.replace('*', '.*');
      var regex = new RegExp("^" + regexPattern + "$");
      return regex.test(groupName);
    })){
      return;
    }

    members = [];
    do {
      var response = AdminDirectory.Members.list(groupEmail, {
        pageToken: pageToken
      });

      if (response.members) {
        members = members.concat(response.members);
      }
      
      pageToken = response.nextPageToken;
    } while (pageToken);

    if (!groups[groupId]) {
        groups[groupId] = {
          name: groupName,
          members: []       
        };
    }

    members.forEach(function(member) {
      if (member.email != null) {
        groups[groupId].members.push(member.id);
      }
    });
  });
  return groups;
}

function getAllUsers() {
  var service = AdminDirectory.Users;
  var members = {};
  var users = service.list({
    domain: domain, 
    maxResults: 100 
  });

  users.users.forEach(function(user) {
    members[user.id] = {
      email: user.primaryEmail,
      name: user.name.fullName     
    };
  });
  return members;
}

Click + to add a service, and add Admin SDK API.

3. Creating a trigger for the script

In the left menu, go to Triggers, and click + Add Trigger.

  • Choose which function to run - syncUsers()

  • Choose which doployment should run - Head

  • Select event source - Time-driven

  • Select type of time based trigger - Hour timer

  • Select hour interval - Every hour

Click Save.

You have now successfully set up Google Workspace SCIM with GoodAccess.

Step 4 - Managing user access

In the application click User access.

Choose who should have access, select ON, and click Save.

The user provisioning time period depends on the settings (default is 1 hour).

Create a new with the scopes specified below, and securely save the Token for the next step.

Go to , and click New Project.

🖥️
In the GoodAccess Control Panel, go to Settings > API Integration.
API Integration
Google Apps Script
Trigger
Log in to the GoodAccess Control Panel, and go to Settings > SSO & Identity.
Google Admin console
Apps > Web and mobile apps
grant your Google users access permissions
Adding a new custom SAML application
Setting up the App details
Setting up the Google Identity Provider details
Setting up the Service provider details
Setting up Attribute mapping
Adding Admin SDK API service
Managing user access
Managing user access
Google Admin console with key steps to adding a new custom SAML application.
Google Admin console with key steps to setting up the "App details".
Google Admin console with key steps to setting up the "Google Identity Provider details".
Google Admin console with key steps to setting up the "Service provider details".
Google Admin console with key steps to setting up the "Attribute mapping".
Google Apps Script project with key steps to adding Admin SDK API service.
Google Admin console with key steps to managing user access.
Google Admin console with key steps to managing user access.