Skip to main content

Configure Google Workspace connector

The Snow Integration Connector for Google Workspace is used to determine the number of registered Workspace users.

The configuration must be started and prepared according to SaaS connector configuration.

Prerequisites

A Google Workspace Team account with the following permissions set is required:

  • Admin console privileges > Reports

  • Admin API privileges > Users > Read

  • Admin API privileges > domains > list

Set up a Workspace app

  1. Go to the Workspace admin console on https://workspace.google.com/products/admin/.

  2. Select Admin console and sign in to the console using your Workspace Team account credentials.

  3. On the Workspace dashboard, go to Security > Access and data control > API controls.

    Note

    API controls may be named App access control.

  4. Select Settings > Internal apps and then Trust internal, domain-owned apps.

  5. Save your changes.

  6. To verify the domain ownership inside Workspace:

    1. On the dashboard, select Accounts > Domains > Managed domains > Verify domain.

    2. On the Add a meta tag to your homepage, copy the Meta tag value to the homepage of your website, and then select I have added the meta tag to my homepage.

    3. Select Verify. A message will be displayed saying if the website was successfully verified.

  7. Go to https://console.developers.google.com and create a project.

  8. Select the project and under APIs and services, select API library. Search and enable Admin SDK API from the API library.

  9. Go to the OAuth consent screen page in your project:

    1. For User Type, select Internal, and then CREATE.

      The OAuth consent screen page appears.

    2. Add the application name, user support email, and developer contact email.

    3. Save and continue.

    4. Select ADD or Remove scopes.

    5. From the list of scopes available, select and add the following scopes:

      • auth/admin.directory.user.readonly

      • auth/admin.reports.usage.readonly

      • auth/admin.directory.domain

      • auth/admin.directory.domain.readonly

    6. Save the changes made.

  10. Go to the Credentials page in your project.

    1. Select + Create credentials and then select OAuth Client ID.

    2. On the OAuth Client ID page, for Application Type, select Web application.

    3. Enter the Name of the app.

    4. In the Authorized redirect URIs section, select + ADD URI and enter http://localhost:8080.

    5. Select Create.

      Your Client ID and Client Secret are displayed in the dialog that appears. Save these values to use when configuring the client id and client secret fields in the connector.

    6. To close the dialog, select OK.

Procedure

In the Configure Google Workspace section at the bottom of Connector Configuration: SaaS, follow the steps as given below.

  1. In Client ID, enter the value for the Client ID of the created app in Set up a Workspace app.

  2. In Client Secret, enter the value for Client Secret of the created app as in Set up a Workspace app.

  3. In Redirect URI, enter the value for a redirect uri.

    Note

    The redirect URI can for example be http://localhost:8080 if it is not used by another application.

  4. Enter your Customer Id, according to the steps described in Google's Cloud Identity Help page.

  5. Select Get URI. The All good dialog appears.

  6. Authenticate and generate the URI for the URI from browser

    1. In the All good dialog, select OK.

    2. On the default browser that opens, enter the credentials for your Workspace Team account and select Next.

    3. Select Allow.

      A uri appears in the browser address field.

  7. Enter the uri in the URI from browser.

  8. Select Get Token. A message saying that the token is successfully acquired appears.

  9. To fetch your required domains into aggregation, select Domain Filtering.

  10. On Filter by domains, select Enable domain filtering.

  11. Select the domains that you want to import data from. Select All selects all of the domains in the list and Select None clears the checkboxes.

  12. To load the domains and close the window, select OK.

  13. To check whether the connection can be established, select Test Connection.

  14. If the connection cannot be established, verify that the connector has been configured according to Step 1 to Step 8.

  15. To allow the data to be aggregated, select Active.

  16. Select Save.

Note

Version 5.8 of Snow Integration Manager fetches only last login time for the Google Workspace accounts. The last login time is set as the last activity time for Google Workspace account users. However, if the user is using a POP or IMAP email client, and actively using Gmail, then the last login time will not be tracked in Snow Integration Manager 5.8. Therefore, active users can be flagged as inactive if they do not log in to the Google Workspace website.

Snow Integration Manager 5.9, and later versions, fetches last email interaction time for Google Workspace users which provides more accurate data. However, a token acquired in Snow Integration Manager 5.8 does not provide enough permission to fetch email activity report. This can be a problem if the Snow Integration Manager user has scheduled a Google Workspace aggregation using Snow Integration Manager 5.8 and upgraded to Snow Integration Manager 5.9 before the aggregation starts. To solve this, perform Step 5 to Step 13 to fetch a new token. The new token will have enough permissions to fetch the email usage report.

In this section: