VLT-Website-Heading

How to set up provisioning for Google Workspace on Okta

Oct 20, 2021 7:00:00 PM / by Vu Long Tran

This is a guide on how to set up provisioning for Google Workspace API on Okta.

How to set up provisioning for Google Workspace API on Okta

Step 1 - Log into Google Admin console

Sign in using your admin account https://admin.google.com/ (note - this will not be your gmail account if you are currently signed into Google services with that already).

Step 2 - Go to your Google API controls

From the Admin Console home page, go to Menu > Security > API controls.

Under App access control, click "Manage Google Services" (this is in the Overview section of "App access control").

manage-google-services

Step 3 - Review your Google API controls

Review your Google API controls.

You will notice how my "Google Workspace Admin" is currently set to "Restricted" (under the "Access" column).

google-api-controls-restricted

Step 4 - Update your Google API settings

Update your access settings for "Google Workspace Admin" by clicking on "Change access" and select "Unrestricted: Any user-approved app can access a service".

That is: change access, choose from the following options:

  • Unrestricted: Any user-approved app can access a service
  • Restricted: Only trusted apps can access a service

Either way, it will still require users to authorise themselves (via OAuth authentication) but it will allow them to avoid a complete block (authorization error - example below) when trying to access your Google APIs.

google-restrict-api

google-unrestrict-api2

Step 5 - Check your Google API controls settings

Check your Google API control settings and it should now say "Unrestricted" (Under the "Access" column).

Google-APIs-restricted2

google-api-controls

Step 6 - Authenticate Okta with Google Workspace via Google APIs

In the Okta Admin console, go through the steps again to authenticate Okta with Google Workspace via the Google APIs. Since  Google Workspace requires a token to authenticate against the Google API.

1. Click on "Enable API integration"

2. Click on "Authenticate with Google Workspace"

configure-api-integration2

3.  Log into Google Admin account and review access. You will notice an OAuth authentication and list of items that Okta will be looking to access.

If you are comfortable, click "Allow".

google-api-oauth-check

4. Success, you are authenticated!

In your Okta Admin console, you will see that your "Google Workspace was verified successfully!" and "Google Workspace's API is authenticated. Click Re-authenticate with Google Workspace to generate a new authentication token". 

In the Okta Admin, click "Save".

success-google-workspace

 

Step 7 - Congratulations you are all set!

In the Okta Admin, click "Save" if you have not already in the previous step. That will refresh the "Provisioning" tab and you should see your CRUD options now.

That is, you can now Create Users, Update User Attributes, Deactivate Users and Sync Password from Okta.

Or the other way around, if you prefer to use Google Workspace as your single point of truth and create users from Google into Okta (using the "To Okta" subtab).

google-workspace-crud

 

Google APIs Authorization Error example

Here is an example Google API error

authorization-error-example

Authorization Error

Error 400: admin_policy_enforced
Access to your account data is restricted by policies within your organization. Please contact the administrator for vulongtran.com for more information.
Request Details

access_type=offline
response_type=code
redirect_uri=https://system-admin.okta.com/admin/app/generic/oauth20redirect
state=<hash>==
client_id=<uniqueclientid>.apps.googleusercontent.com
prompt=consent
scope=https://www.googleapis.com/auth/admin.directory.group https://www.googleapis.com/auth/admin.directory.group.member https://www.googleapis.com/auth/admin.directory.orgunit https://www.googleapis.com/auth/admin.directory.user https://www.googleapis.com/auth/admin.directory.user.readonly https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/apps.licensing https://www.googleapis.com/auth/admin.directory.userschema.readonly https://www.googleapis.com/auth/admin.directory.rolemanagement openid

Could not connect to Google API error

Just received an error when trying to connect your application to the Google API for your Google Workspace (GSuite)?

"Could not connect to Google API, please check your OAuth credentials again."

Google APIs error

You can fix this by making sure "Google Workspace Admin" is set to "Unrestricted" access.

Provision user message

User was assigned this application before Provisioning was enabled and not provisioned in the downstream application. Click Provision User.

already-assigned-user

already-assigned-user2

Click on "Provision User".

You will get a pop up and when you are ready, click "Ok".

Provision User

Some users were assigned this application before Provisioning was enabled and are not currently provisioned.

Click Ok to sync with downstream app. It will trigger a job to provision users.

already-assigned-user3Then once it triggers you should get a confirmation pop up. When you refresh the page you will see the red flag to "provision user" that has already been provisioned in Okta disappear.

So it should look like this:

already-assigned-user4

 

Additional resources:

Topics: google, google cloud, okta

Vu Long Tran

Written by Vu Long Tran

Solutions Engineer APAC. ex-@Forrester consultant. Writing on #cloud #howto guides and #tech tinkering!