Updated Google workspace self-hosted IdP guide (#99)

2026-04-16 07:26:35 +00:00 · 2023-10-04 12:41:11 +03:00
parent 0609358c92
commit 6995e10833
7 changed files with 22 additions and 9 deletions
--- a/public/docs-static/img/integrations/identity-providers/self-hosted/google-assign-role.png
+++ b/public/docs-static/img/integrations/identity-providers/self-hosted/google-assign-role.png
--- a/public/docs-static/img/integrations/identity-providers/self-hosted/google-domain-delegation-added.png
+++ b/public/docs-static/img/integrations/identity-providers/self-hosted/google-domain-delegation-added.png
--- a/public/docs-static/img/integrations/identity-providers/self-hosted/google-new-domain-delegation.png
+++ b/public/docs-static/img/integrations/identity-providers/self-hosted/google-new-domain-delegation.png
--- a/public/docs-static/img/integrations/identity-providers/self-hosted/google-new-role-info.png
+++ b/public/docs-static/img/integrations/identity-providers/self-hosted/google-new-role-info.png
--- a/public/docs-static/img/integrations/identity-providers/self-hosted/google-privileges-review.png
+++ b/public/docs-static/img/integrations/identity-providers/self-hosted/google-privileges-review.png
--- a/public/docs-static/img/integrations/identity-providers/self-hosted/google-service-account-privileges.png
+++ b/public/docs-static/img/integrations/identity-providers/self-hosted/google-service-account-privileges.png
--- a/src/pages/selfhosted/identity-providers.mdx
+++ b/src/pages/selfhosted/identity-providers.mdx
@@ -923,19 +923,32 @@ Read how to manage and secure your service keys [here](https://cloud.google.com/

 - Open downloaded json file and take note of `client_id` will be used later as `Service Account Client ID`

-#### Step 5: Granting service account access to organization data
+#### Step 5: Grant user management admin role to service account
 - Navigate to [Admin Console](https://admin.google.com/ac/home) page
- Select `Security` > `Access and data control` > `API controls` and then click `MANAGE DOMAIN WIDE DELEGATION`
- Click `Add new`
- Fill in the form with the following values
-    - Client ID: `<Service Account Client ID>`
-    - OAuth scopes: `https://www.googleapis.com/auth/admin.directory.user.readonly`
+- Select `Account` on the left menu and then click `Admin Roles`
+- Click `Create new role`
+- Fill in the form with the following values and click `CREATE`
+    - name: `User Management ReadOnly`
+    - description: `User Management ReadOnly`
+- Click `CONTINUE`
 <p>
-    <img src="/docs-static/img/integrations/identity-providers/self-hosted/google-new-domain-delegation.png" alt="high-level-dia" class="imagewrapper"/>
+    <img src="/docs-static/img/integrations/identity-providers/self-hosted/google-new-role-info.png" alt="high-level-dia" class="imagewrapper"/>
 </p>
- Click `AUTHORIZE`
+
+- Scroll down to `Admin API privileges` and add the following privileges
+    - Users: `Read`
+- Click `CONTINUE`
 <p>
-    <img src="/docs-static/img/integrations/identity-providers/self-hosted/google-domain-delegation-added.png" alt="high-level-dia" class="imagewrapper"/>
+    <img src="/docs-static/img/integrations/identity-providers/self-hosted/google-privileges-review.png" alt="high-level-dia" class="imagewrapper"/>
+</p>
+- Verify preview of assigned Admin API privileges to ensure that everything is properly configured, and then click `CREATE ROLE`
+- Click `Assign service accounts`, add service account email address and then click `ADD`
+<p>
+    <img src="/docs-static/img/integrations/identity-providers/self-hosted/google-assign-role.png" alt="high-level-dia" class="imagewrapper"/>
+</p>
+- Click `ASSIGN ROLE` to assign service account to `User Management ReadOnly` role
+<p>
+    <img src="/docs-static/img/integrations/identity-providers/self-hosted/google-service-account-privileges.png" alt="high-level-dia" class="imagewrapper"/>
 </p>

 - Navigate to [Account Settings](https://admin.google.com/ac/accountsettings/profile?hl=en_US) page and take note of `Customer ID`