Teams and Businesses

Connect Google Workspace to 1Password SCIM Bridge

Learn how to set up and use 1Password SCIM Bridge to integrate with Google Workspace.

Important

Before you can integrate with Google Workspace, you’ll need to set up and deploy 1Password SCIM Bridge.

With 1Password Business, you can integrate 1Password with Google Workspace to automate many common administrative tasks:

Provision

  • Create users: Users in selected Google Workspace groups will be provisioned to 1Password.
  • Update user attributes: Changing user attributes in your Google Workspace directory, such as the user’s name and email address, will change the mapped attributes in 1Password.
  • Deactivate users: Suspending or deleting a user in Google Workspace will suspend the user in 1Password.

Manage groups

  • Sync groups: Sync groups from Google Workspace to 1Password.

To integrate 1Password with Google Workspace, you’ll need to create a Google service account and API client, then give it permission to read your directory’s users, groups and group members, and administrator events from Google Workspace. This allows the SCIM bridge to fetch information about and capture events for user creation, suspension, and deletion.

To get started, sign in to your account on the Google Cloud Console  and follow these steps.

Step 1: Create a Google service account, key, and API client

These steps were recorded in July 2022 and may have changed since. Refer to the Google Cloud documentation  for the most up-to-date steps.

1.1: Create a Google service account and key

  1. Open the Google Cloud Marketplace and find the Admin SDK API .
  2. Click Enable to turn on the API. This will take a moment.
  3. Click the navigation menu in the top left and choose IAM & Admin > Service Accounts.
  4. Click Create Project and follow the onscreen instructions.

    If you have an existing project that you want to use, click the project name in the top navigation and select it.

  5. After you create a project, click Create Service Account, fill out the “Service account name” field, then click Done.
  6. Click the service account you just created, then click Keys.
  7. Choose Add Key > “Create new key”.
  8. Select JSON and click Create. The service account key will be downloaded to your computer.
  9. Save the service account key in 1Password so you can find it later.

The service account page in the Admin SDK API with op-scim as the name

The Keys tab of the service account with one key shown

1.2: Add a new API client

  1. Click the Details tab on the service account you created.
  2. Click “Advanced settings”, then click to copy the Client ID.
  3. Click View Google Workspace Admin Console and navigate to the Domain-wide Delegation page.
  4. Click “Add new”, then fill out the information:
    • Client ID: paste the Client ID you copied.
    • OAuth scopes: paste the following:
      • https://www.googleapis.com/auth/admin.directory.user.readonly
      • https://www.googleapis.com/auth/admin.directory.group.readonly
      • https://www.googleapis.com/auth/admin.directory.group.member.readonly
      • https://www.googleapis.com/auth/admin.reports.audit.readonly
  5. Click Authorize.

Step 2: Configure your SCIM bridge

Important

Before you proceed, make sure you’ve set up and deployed your 1Password SCIM Bridge.

2.1: Upload the service account key

  1. Open your SCIM bridge and enter your bearer token.
  2. Scroll down to Google Workspace and click Upload Service Account Key.
  3. Upload the .json key you created earlier.
  4. Go back to the Google Workspace section, then fill out these fields:
    • Actor: the email address of the administrator in Google Workspace that the service account is acting on behalf of.
    • Bridge Address: the URL of your SCIM bridge (not your 1Password account sign-in address). For example: https://scim.example.com
  5. Click Save.
  6. Enter your bearer token again and click Verify. You should see a green checkmark beside Workspace Server.
The Google Workspace configuration section in 1Password SCIM bridge

2.2: Set up provisioning to 1Password

After you’ve connected Google Workspace to your SCIM bridge, you can choose which groups to provision to 1Password:

  1. Scroll down to Google Workspace.
  2. Select the group(s) you would like to provision to 1Password, then click Save.

After you set up provisioning, wait a few moments, then open the People and Groups pages on 1Password.com to make sure your users are provisioned.

Settings

To manage your Google Workspace provisioning settings, open your SCIM bridge and enter your bearer token, then scroll down to Google Workspace.

  • To stop provisioning a group to 1Password, deselect it, then choose Stop Syncing or Remove from 1Password.
    • When you choose Stop Syncing, any changes made to the group in your directory will not propagate to 1Password.
    • When you choose Remove from 1Password, the group will be removed and everyone in it will be suspended in 1Password, unless they are part of another group that is provisioned to 1Password.
  • To turn off provisioning, open the Integrations page on 1Password.com and click the Google Workspace integration, then turn off “Provisioning users & groups “. After you turn off provisioning, any changes from your Google Workspace directory will no longer affect users in 1Password, but you can continue to add and remove team members on 1Password.com.

Still need help?

If this article didn't answer your question, contact 1Password Support.

Published: