Skip to main content

Google Workspace

Google Workspace SCIM support is pretty minimal, so we directly tap into their APIs to give you the full benefit of SCIM-like functionality.

To enable this you have to authenticate against Google so that we get access to the Admin SDK API. When you create a new Directory Sync connection the Google authentication URL is displayed, this can be sent to your customer so they can authenticate against their Google tenant. It doesn't require any of the traditional SCIM setup.

Self-hosting instructions

If you are self-hosting the following guide will walk you through the process of configuring SAML Jackson to use Google Workspace as a directory sync provider.

Jackson requires a Google OAuth App to be configured to access the Admin SDK API. You can use your existing OAuth App or create a new one.

Create OAuth App

Navigate to the Google Cloud Console and select your project from the list.

Google Workspace DSync Step 1

Select APIs & Services from the left menu and then select Credentials.

Select OAuth client ID from the CREATE CREDENTIALS dropdown.

Google Workspace DSync Step 2

Give your credentials a name and select Web application as the Application type.

Add the following Authorized redirect URIs and then click Create.

https://<your-domain>/api/scim/oauth/callback

Google Workspace DSync Step 3

info

Note that the above callback URL works if you're using Jackson as a service.

If using Jackson as an NPM package, the Authorized redirect URIs will be a URL on your application that you'll need to configure. See Google Directory Sync API for more information.

Copy the Client ID and Client secret and save them for later.

Google Workspace DSync Step 4

info

Please don't forget to configure the OAuth consent screen and publish it so your customers can access it.

See the Environment Variables section to learn how to configure Jackson with these values.

Once Jackson is configured, you can authenticate the tenants with Google OAuth and sync their Workspace directory.

Enable Admin SDK API

We need access to the Admin SDK API. To enable this follow these instructions:-

Head over to the Enabled APIs and services section in the console.

Google Workspace DSync Enable API Step 1

Search for admin sdk api.

Google Workspace DSync Enable API Step 2

Select the Admin SDK API and click on the ENABLE button.

Google Workspace DSync Enable API Step 3

Schedule Sync

Jackson can be configured to sync your Google Workspace directory on a schedule (e.g. every 2 hours).

Jackson service exposes the below API URL that can be called to trigger a sync. You can use a cron job to invoke this URL on a schedule.

Depending on the number of Google directories you have, the sync can take a few minutes to complete.

curl -X POST \
  -H "Authorization: Api-Key YOUR_API_KEY" \
  http://localhost:5225/api/v1/dsync/cron/sync-google

Alternatively you can set the DSYNC_GOOGLE_CRON_INTERVAL env var to enable the cron in the Jackson service.

Learn more about Google Directory Sync API.

FAQ

Does Google Workspace sync in real time?

No, Google Workspace sync is not real-time. Jackson syncs the Google Workspace directory on a schedule (e.g. every 2 hours). In a self-hosted deployment, you can configure a cron job to sync the directory on a schedule of your choice.

Can I sync specific groups from Google Workspace?

Not possible at the moment. Jackson syncs all the groups from Google Workspace. You have to filter the groups from your application's side.