Configuring SSO for G-Suite

Configuring SSO for G-Suite

Configure G-Suite single sign-on (SSO) integration with Amazon Web Services (AWS) - Lambda

Before going through these steps, make sure you have followed the instructions to configure AWS SSO (IAM Identity Center).

Create Admin SDK API

First, you have to setup your API in the project you want to use:

  • Go to the Google console (;
  • Make sure you are managing the correct project. If don’t have a project, create one follow this instructions;
  • Create or select your project;
  • Select API & Services > Enable APIs and Services;
  • Search for Admin SDK and Enable the API;

Create a Service Accounts

  • Enter the following parameters:
    • Service account name;
    • Service account ID (mandatory);
    • Service account description (optional).
  • Click Create and Continue;
  • Click Done to finish the creation.

Service account created

  • Click the actions button (three dots on the right side of the account created) and select Manage keys;
  • Select ADD KEY and select Create new key;
  • Select JSON file and then CREATE;
  • The file will be saved to your computer. Store the file in a secure location;

For more information, look at the Google documentation about Service Accounts:

Set Domain-Wide Delegation

  1. In the Admin console, go to Menu ""and then"" Securityand thenAccess and data controland thenAPI controls.
  2. Click Manage Domain Wide Delegation.
  3. Click Add new and enter your service account client ID.
  4. Enter these parameters:
  5. Click Save.

Deploy Lambda for SSO

AWS Single Sign-On (SSO) makes it easy to centrally manage access to multiple AWS accounts and business applications and provide users with single sign-on access to all their assigned accounts and applications from one place.

With AWS SSO, you can create and manage user identities in AWS SSO’s identity store, or easily connect to your existing identity source including Microsoft Active Directory and Azure Active Directory (Azure AD).

AWS Identity Center (SSO) can use other Identity Providers as well, such as Google Apps for Domains. Although AWS SSO supports a subset of the SCIM protocol for populating users, it currently only has support for Azure AD.

This is the reason to use a Lambda project which will pull users and groups from Google and push them into AWS SSO. 

Application settings
  • Click Deploy.

You have to perform this tutorial to create a service account that you use to sync your users. Save the JSON file you create during the process and rename it to credentials.json.