Provisioning

Connect Google Workspace to 1Password SCIM Bridge

Learn how to set up and use 1Password SCIM Bridge to integrate with Google Workspace.

Important

Before you can integrate with Google Workspace, you’ll need to set up and deploy 1Password SCIM Bridge.

With 1Password Business, you can integrate 1Password with Google Workspace to automate many common administrative tasks:

  • Create users: Users created in Google Workspace will be provisioned to 1Password.
  • Update user attributes: Changing user attributes in your Google Workspace directory, such as the user’s name and email address, will change the mapped attributes in 1Password.
  • Suspend users: Suspending a user in Google Workspace will suspend the user in 1Password.

To integrate 1Password with Google Workspace, you’ll create a Google service account and API client, then give it permission to read your directory’s users, groups and group members, and administrator events from Google Workspace. This allows the SCIM bridge to fetch information about and capture events for user creation, suspension, and deletion.

To get started, sign in to your account on the Google Cloud Console  and follow these steps.

Step 1: Create a Google service account, key, and API client

Before you begin, open the Google Cloud Marketplace and find the Admin SDK API.  Click Enable to turn on the API. This will take a moment. Then follow these steps:

These steps were recorded in June 2022 and may have changed since. Refer to the Google Cloud documentation for the most up-to-date steps.

1.1: Create a Google service account and key

  1. Click the navigation menu in the top left and choose IAM & Admin > Service Accounts.
  2. Click Create Project and follow the onscreen instructions.

    If you have an existing project that you want to use, click the project name in the top navigation and select it.

  3. After you create a project, click Create Service Account, fill out the “Service account name” field, then click Done.
  4. Click the service account you just created, then click Keys.
  5. Choose Add Key > “Create new key”.
  6. Select JSON and click Create. The service account key will be downloaded to your computer.
  7. Store the service account key in 1Password so you can find it later.

1.2: Add a new API client

  1. Click the Details tab on the service account you created.
  2. Click “Advanced settings”, then click to copy the Client ID.
  3. Click View Google Workspace Admin Console.
  4. Click the navigation menu in the top left and choose Security > “Access and data control” > “API controls”.
  5. Scroll down to “Domain wide delegation” and click Manage Domain Wide Delegation.
  6. Click “Add new”, then fill out the information:
    • Client ID: paste the Client ID you copied
    • OAuth scopes: Paste the following:
      • https://www.googleapis.com/auth/admin.directory.user.readonly
      • https://www.googleapis.com/auth/admin.directory.group.readonly
      • https://www.googleapis.com/auth/admin.directory.group.member.readonly
      • https://www.googleapis.com/auth/admin.reports.audit.readonly
  7. Click Authorize.

Step 2: Configure your SCIM bridge

Important

Before you proceed, make sure you’ve set up and deployed your 1Password SCIM Bridge.

2.1: Upload the service account key

  1. Open your SCIM bridge and enter your bearer token.
  2. Scroll down and click Google Workspace.
  3. Click Upload Workspace Key to upload the .json key you created earlier.
  4. Re-enter your bearer token and click Verify.
  5. Go back to the Google Workspace section, then fill out these fields:
    • Actor: the email address of the administrator in Google Workspace that the service account is acting on behalf of.
    • Domain: your Google Workspace domain (example.com).
    • Bridge Address: the URL of your SCIM bridge (not your 1Password account sign-in address). For example: https://scim.example.com
  6. Click Save Configuration.
  7. Enter your bearer token again and click Verify. You should see a green checkmark ✅ beside Workspace Server.

2.2: Provision users

Important

Make sure your directory contains the users you want to provision. When you follow these steps, all current users in Google Workspace will be provisioned to 1Password. A future version of the integration will include group management.

After you’ve connected Google Workspace to your SCIM bridge, new users added in Google Workspace will automatically be provisioned to your 1Password account. You can also provision everyone in your directory from your SCIM bridge:

  1. Scroll down and click Google Workspace.
  2. Click Sync Users.

If some users can’t be provisioned, you’ll see an error message with details.

Settings

To manage your Google Workspace provisioning settings, open your SCIM bridge and enter your bearer token, then scroll down to Google Workspace.

  • To turn off synchronization, click Delete Workspace Key. After you turn off synchronization, any changes from your Google Workspace directory will no longer affect users in 1Password, but you can continue to add and remove team members on 1Password.com.
Published: