This site requires JavaScript to be enabled
External Customer KB > General > G Suite (Google Apps) Directory Integration
G Suite (Google Apps) Directory Integration
Article: KB0010300 Published: 05/06/2020 Last modified: 05/06/2020

OneLogin's integration with G Suite ties together your existing G Suite user management system with the web-based applications used by your company, providing an Identity and Access Management system rooted in your G Suite account. This is achieved by:

  • Importing user accounts from G Suite into OneLogin, so you don't have to import them by hand
  • Continuously monitoring G Suite for new or updated users and instantly creating/updating those users in OneLogin.

When used together with the G Suite SAML connector, the G Suite Directory Connector can create a real-time bidirectional integration between OneLogin and G Suite, keeping OneLogin updated whenever users are added or updated in G Suite, and G Suite updated whenever users are added or updated in OneLogin.

Prerequisites

  • G Suite Administrator account with access to create/delete/update users and groups data

Configure the G Suite Directory Connector

This article explains how to configure the G Suite Directory Connector, but for a quick overview, check out this video:

 

  1. In OneLogin, go to Users > Directories, click the New Directory button, and click the Choose button for G Suite.

    If you are editing a directory connector that you have already saved, select it directly from the Users > Directories page.

  2. On the Basic tab, enter the name of the directory.

    name google directory

  3. Under Directory, select OneLogin as the app to Authenticate users in.

  4. Under Basic Configuration, enable G Suite as your user directory and enter your primary G Suite domain in the Google Apps Domain field (such as acme.com).

    basic configuration section

    If your G Suite account includes multiple domains, only users from the primary domain will be be synced to OneLogin, unless you select Include all sub-domains. This option ensures that users in all domains associated with the primary domain will be synced.

  5. Under Importing Users, configure the settings that determine how users will be imported from G Suite.

    importing users section

    Enable Mappings: select if you want to assign users to OneLogin attributes based on their G Suite Group membership or admin role. This setting is selected by default. For more information, see Mapping Google Groups to OneLogin Attributes.

    Enable real-time updates: select if you want new users or updates to be imported to OneLogin immediately whenever they are added or updated in G Suite. This setting is selected by default when you are setting up new G Suite directory connectors. For G Suite directory connectors that were set up before this feature was released on July 26, 2016, this setting is cleared by default. In most cases, selecting this option provides the best integration with OneLogin. If you don't select it, user updates are imported to OneLogin every six hours.

    Note: Due to processing limitations on the G Suite side, OneLogin will not be notified of a user's group membership changes in real time unless another user attribute changes at the same time. Otherwise, group membership changes are passed through only during the 6-hour periodic sync.

    Sync User Status from Google: select to update the OneLogin status (suspended, active) whenever the user status changes in G Suite (suspended, active). In most cases, selecting this option provides the best integration with OneLogin. If you selected OneLogin as your authentication source in step 3, above, we recommend that you also select this option. If you don't opt to sync user status from Google, the Smart Passwords feature could allow a user who is suspended in G Suite to continue to access G Suite through OneLogin using the cached password hash.

    On the other hand, if you have service accounts configured in Google that you don't want enabled in OneLogin, you might be better off using mappings to set user status (active or suspended) in OneLogin based on G Suite status (active or suspended), excluding these service accounts. For more information, see Mappings.

    Note that this setting does not affect the way user deletion in G Suite is handled in OneLogin. That synchronization setting is configured in the Deleted users in Google drop-down menu.

  6. Select whether to Enforce OneLogin password expiration policies when they are more restrictive than your G Suite password expiration policies.

    When you enable this setting, the most restrictive password policy always wins. If OneLogin's password expiration interval is shorter than your G Suite directory's, OneLogin's is applied. If your G Suite directory password expiration interval is shorter, its policy is applied.

    Note: OneLogin doesn't enforce the Password change at next login option in G Suite. To require password changes at next login, use the policy settings in OneLogin, found in Settings > Policies.

  7. Select how users who are deleted in G Suite should be handled in OneLogin.

  8. Select a value from the Deleted users in Google... drop-down menu. Users can be deleted or suspended--or you can leave their OneLogin status unaffected by their G Suite status. No matter your selection, admin users are neither suspended or deleted.

  9. Click Save to save the directory, display the fields that enable you to perform authentication against the G Suite API, and display the Directory Attributes tab, where you can map G Suite attributes to OneLogin directory attributes.
  10. Authenticate OneLogin with the G Suite API.

    1. On the Basic tab, click the Authorize button to initiate authentication.

      authorize button

    2. When prompted by G Suite, enter your G Suite Super Admin credentials and accept OneLogin's request for access.

      When you click Accept, you return to the Basic tab on the G Suite directory setup page in OneLogin, where a brief message indicates that your directory connection was successful.

      If you want to reauthenticate to the API (for example, if you change your G Suite domain), click Clear session token and repeat the API authentication steps listed above.

      If you clear the OAuth token due to security concerns, delete the old token from G Suite. To do that, you must log in to G Suite with the administrator credentials that were used to create the OAuth token, at https://myaccount.google.com/permissions?pli=1. If you don't have access to those credentials, contact G Suite support for assistance.

  11. (Optional) On the Directory Attributes tab, map G Suite attributes to OneLogin attributes.

    In addition to the key user attributes imported from G Suite to OneLogin (email, first name, last name, externalID, etc), there are additional attributes that you can import from G Suite:

    • Company
    • Cost Center
    • Department
    • Manager
    • Employee ID
    • Employee Type
    • Groups
    • Phone
    • Title

    To map one of these G Suite attributes to OneLogin, create a custom field in OneLogin to hold the value. For example, you can create a custom OneLogin field and select that attribute on this tab to hold a user's Google Group value upon user import from G Suite to OneLogin.  

    For instructions, see Mapping Google Groups to OneLogin Attributes. These instructions use the example of mapping Google Groups, but the process is the same for all available attributes.

    Click Save if you made any changes on this tab.

  12. To initiate user import from G Suite, return to the Basic tab and click Sync Users to provision users from G Suite to OneLogin.

    Note. To verify that the API connection is working and that your users are being imported successfully, go to Activity > Events and view the user import logs.

Mapping Google Groups to OneLogin Attributes

If you are using G Suite as your user directory, you may want to use Google Group membership to determine OneLogin security levels (through OneLogin group membership) or app access (through OneLogin roles).  

These instructions can also be applied to mapping any available G Suite attribute to a OneLogin attribute.

Note: Because this mapping requires a custom field, you must be on an Unlimited plan. See our plan and pricing information.

Note: A common identification for the correct mapping group is MemberOf. While Google Groups does not natively use that phrase, this guide will use it as a reference point for the sake of simplicity. 

To enable this mapping of Google Group membership to OneLogin roles, security policies, or other attributes, the best practice is to map your users' Google Group value to their MemberOf attribute in OneLogin:

      1. Create a custom user field to hold the attribute.

        1. Go to Users > All Users and select Custom User Fields under More Actions.
        2. Click New User Field.
        3. Enter a Name and Shortname (no spaces) for the user field.
      2. Map the new user field to the MemberOf attribute.

        1. Go to Users > Mappings and click the New Mappings button.
        2. Name the mapping and select the Conditions for the mapping.

        3. Set the Actions to Set MemberOf and the value to the short name of the custom user field, using the syntax {custom_attribute_short_name_of_field}:

        4. Return to the Users > Mappings page and click Reapply all mappings.
      3. Map Google Groups to the new custom user field.

        1. Go to Directories and select the G Suite directory from the list.
        2. On the Directory Attributes tab, click the + plus sign to add an attribute mapping. 
        3. Under Directory Field, select Groups from the drop-down.
        4. Under OneLogin Field, select the user field that you created above.

        5. Click Save.
      4. Verify that your users' Google Group group membership is mapped as their MemberOf value.

        1. Go to Users > All Users and select a user that was imported from your G Suite directory.
        2. On the User Info tab, view the Directory Details section. 

          The Member of value should be name=users_google_group.

Now when you sync users from G Suite to OneLogin, each user's MemberOf attribute will hold that user's Google Group value.  And you can use Google Group membership to assign OneLogin roles, statuses, security policy (through OneLogin group membership), or any other OneLogin attribute that you want, simply by mapping from MemberOf.  For more information about using mapping to assign roles, see Mappings.


Expand/Collapse Comments
:     
Was this helpful?
YesYesNoNo