Subscribe to Help Center RSS FeedThe Google Workspace Integration allows for secure and consistent connectivity between ̽»¨´óÉñ and Google Workspace. The integration allows an IT Admin to manually provision new user accounts, schedule imports of new users and updates, and continuously synchronize specified user attributes from ̽»¨´óÉñ to Google or from Google to ̽»¨´óÉñ. In addition, admins can manage distribution groups in Google Workspace from ̽»¨´óÉñ.
Integrating Google Workspace with ̽»¨´óÉñ
You can integrate Google Workspace and ̽»¨´óÉñ in two different integration scenarios that offer the same benefits. To start configuring the integration, ensure you have reviewed the prerequisites and important considerations.
User Integration Scenarios
- ̽»¨´óÉñ manages user identities:
- ̽»¨´óÉñ takes over existing Google Workspace accounts
- ̽»¨´óÉñ provisions new Google Workspace accounts
- Google manages user identities:
- Google Workspace takes over ̽»¨´óÉñ accounts
- Google Workspace provisions new ̽»¨´óÉñ accounts
Benefits
- Secure, persistent connectivity between ̽»¨´óÉñ and Google Workspace
- A convenient way to import pre-existing Google accounts into ̽»¨´óÉñ
- Automatic provisioning of new ̽»¨´óÉñ accounts into Google Workspace
- Continual user attribute synchronization from ̽»¨´óÉñ to Google accounts
- Accessible self-service account management for your end users
- Simplified login experience:
- Create a login experience similar to SSO where users log in to ̽»¨´óÉñ and Google Workspace using the same set of credentials
- Combine this integration with an SSO integration, or IdP configuration, to allow for federated user logins to either system
Prerequisites
- A ̽»¨´óÉñ administrator account
- ̽»¨´óÉñ Device Package or higher
- An active Google Workspace directory
- Google Workspace directories can contain multiple domains
- Either a Google Super Admin (if you need to sync passwords for users with Super Admin privileges) or a dedicated Google user for the integration with these roles:
- Groups Admin (pre-built role)
- User management Admin (pre-built role)
- Custom role with ‘Domain Management’ admin API privileges
Using a person's Google user account for authorizing the integration may cause the integration to break if the person leaves the org or if the roles/ privileges change.
- One of the following supported licenses:
- Google Workspace Business edition
- Google Workspace Education edition
- Google Workspace Enterprise edition
- Legacy G Suite Business
- Legacy G Suite Basic
- This license requires a valid payment source for user additions
- Ensure that you validate the billing contact
- Pending actions need to be completed for password sync to function properly
Google Workspace for Non Profits, Google Workspace Essentials Starter, and G Suite Legacy Free Edition aren't supported. This is a Google restriction; Google only provides their User Access API to paid licenses.
Considerations
- Don’t add a Google Workspace directory more than once in ̽»¨´óÉñ. If you authorize sync for the same Google Workspace directory more than once, users that are connected to multiple instances of the same Google Workspace directory in ̽»¨´óÉñ could be suspended if you remove them from one of the instances. You can avoid this by deactivating the sync for duplicate Google Workspace directories.
- Synchronization occurs by matching the user's ̽»¨´óÉñ email address with the Google Workspace primary email address or any of a user's Google Workspace alias email addresses.
- Some user attributes are always synced with Google Workspace. Admins should also review and choose additional user attributes prior to importing/exporting users via the integration. See Configure the Google Workspace Integration to learn more.
- If you are syncing user data from ̽»¨´óÉñ to Google, we recommend that you change user emails in the ̽»¨´óÉñ Admin Portal.
- If you change the email domain in ̽»¨´óÉñ for a linked account to a domain outside of the synced Google Workspace directory, you could cause the user information to stop syncing unless you have configured a list of domains and specified one to use as the default for the integration. See Maintain the Google Workspace Integration to learn more.
- Most changes users make to their personal attributes in the User Portal will sync to Google Workspace if those attributes are set to sync on export. See Configure the Google Workspace Integration to learn more.
- Regardless of the user state or Password Configurations security settings in ̽»¨´óÉñ, users must be unbound from the Google Workspace Cloud Directory Integration in ̽»¨´óÉñ directory to guarantee that ̽»¨´óÉñ will stop syncing (exporting) information for that user to Google.
Users who are unbound from Google Workspace Cloud Directory integration in ̽»¨´óÉñ will be deactivated in Google.
- Users should be unbound from your Google Workspace Cloud Directory Integration in ̽»¨´óÉñ before they are deleted in Google. This prevents the user being recreated on the next sync from ̽»¨´óÉñ
Google Workspace Integration Configuration Workflow
Using a person's Google user account for authorizing the integration may cause the integration to break if the person leaves the org or if the roles/ privileges change.
- Prepare for the Google Workspace Integration
- Review considerations and complete prerequisites
- Create a dedicated Google service account for the integration with the following required roles:
- Groups Admin (pre-built role)
- User management Admin (pre-built role)
- Custom role with ‘Domain Management’ admin API privileges
- Add a new Google Workspace Cloud Directory Integration
- Configure the Google Workspace Integration
- Use the Google Workspace Integration
- Import Users