This is a guide on how to set up provisioning for Google Workspace API on Okta.
How to set up provisioning for Google Workspace API on Okta
Step 1 - Log into Google Admin console
Sign in using your admin account https://admin.google.com/ (note - this will not be your gmail account if you are currently signed into Google services with that already).
Step 2 - Go to your Google API controls
From the Admin Console home page, go to Menu > Security > API controls.
Under App access control, click "Manage Google Services" (this is in the Overview section of "App access control").
Step 3 - Review your Google API controls
Review your Google API controls.
You will notice how my "Google Workspace Admin" is currently set to "Restricted" (under the "Access" column).
Step 4 - Update your Google API settings
Update your access settings for "Google Workspace Admin" by clicking on "Change access" and select "Unrestricted: Any user-approved app can access a service".
That is: change access, choose from the following options:
- Unrestricted: Any user-approved app can access a service
- Restricted: Only trusted apps can access a service
Either way, it will still require users to authorise themselves (via OAuth authentication) but it will allow them to avoid a complete block (authorization error - example below) when trying to access your Google APIs.
Step 5 - Check your Google API controls settings
Check your Google API control settings and it should now say "Unrestricted" (Under the "Access" column).
Step 6 - Authenticate Okta with Google Workspace via Google APIs
In the Okta Admin console, go through the steps again to authenticate Okta with Google Workspace via the Google APIs. Since Google Workspace requires a token to authenticate against the Google API.
1. Click on "Enable API integration"
2. Click on "Authenticate with Google Workspace"
3. Log into Google Admin account and review access. You will notice an OAuth authentication and list of items that Okta will be looking to access.
If you are comfortable, click "Allow".
4. Success, you are authenticated!
In your Okta Admin console, you will see that your "Google Workspace was verified successfully!" and "Google Workspace's API is authenticated. Click Re-authenticate with Google Workspace to generate a new authentication token".
In the Okta Admin, click "Save".
Step 7 - Congratulations you are all set!
In the Okta Admin, click "Save" if you have not already in the previous step. That will refresh the "Provisioning" tab and you should see your CRUD options now.
That is, you can now Create Users, Update User Attributes, Deactivate Users and Sync Password from Okta.
Or the other way around, if you prefer to use Google Workspace as your single point of truth and create users from Google into Okta (using the "To Okta" subtab).
Google APIs Authorization Error example
Here is an example Google API error
Authorization Error
Error 400: admin_policy_enforced
Access to your account data is restricted by policies within your organization. Please contact the administrator for vulongtran.com for more information.
Request Details
access_type=offline
response_type=code
redirect_uri=https://system-admin.okta.com/admin/app/generic/oauth20redirect
state=<hash>==
client_id=<uniqueclientid>.apps.googleusercontent.com
prompt=consent
scope=https://www.googleapis.com/auth/admin.directory.group https://www.googleapis.com/auth/admin.directory.group.member https://www.googleapis.com/auth/admin.directory.orgunit https://www.googleapis.com/auth/admin.directory.user https://www.googleapis.com/auth/admin.directory.user.readonly https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/apps.licensing https://www.googleapis.com/auth/admin.directory.userschema.readonly https://www.googleapis.com/auth/admin.directory.rolemanagement openid
Could not connect to Google API error
Just received an error when trying to connect your application to the Google API for your Google Workspace (GSuite)?
"Could not connect to Google API, please check your OAuth credentials again."
You can fix this by making sure "Google Workspace Admin" is set to "Unrestricted" access.
Provision user message
User was assigned this application before Provisioning was enabled and not provisioned in the downstream application. Click Provision User.
Click on "Provision User".
You will get a pop up and when you are ready, click "Ok".
Provision User
Some users were assigned this application before Provisioning was enabled and are not currently provisioned.
Click Ok to sync with downstream app. It will trigger a job to provision users.
Then once it triggers you should get a confirmation pop up. When you refresh the page you will see the red flag to "provision user" that has already been provisioned in Okta disappear.
So it should look like this: