Configuring SSO for G-Suite

Configuring SSO for G-Suite

Configure G-Suite single sign-on (SSO) integration with Amazon Web Services (AWS) - Lambda

⚠️
Before going through these steps, make sure you have followed the instructions to configure AWS SSO (IAM Identity Center).

Create Admin SDK API

First, you have to setup your API in the project you want to use:

  • Go to the Google console (https://console.cloud.google.com/);
  • Make sure you are managing the correct project. If don’t have a project, create one follow this instructions;
  • Create or select your project;
  • Select API & Services > Enable APIs and Services;
image
  • Search for Admin SDK and Enable the API;
image

Create a Service Accounts

image
  • Enter the following parameters:
    • Service account name;
    • Service account ID (mandatory);
    • Service account description (optional).
  • Click Create and Continue;
  • Click Done to finish the creation.

Service account created

image
  • Click the actions button (three dots on the right side of the account created) and select Manage keys;
  • Select ADD KEY and select Create new key;
  • Select JSON file and then CREATE;
  • The file will be saved to your computer. Store the file in a secure location;

For more information, look at the Google documentation about Service Accounts: https://developers.google.com/workspace/guides/create-credentials#service-account.

Set Domain-Wide Delegation

  1. In the Admin console, go to Menu ""and then"" Securityand thenAccess and data controland thenAPI controls.
  2. Click Manage Domain Wide Delegation.
  3. Click Add new and enter your service account client ID.
  4. Enter these parameters:
    1. https://www.googleapis.com/auth/admin.directory.group.readonly
    2. https://www.googleapis.com/auth/admin.directory.group.member.readonly
    3. https://www.googleapis.com/auth/admin.directory.user.readonly
  5. Click Save.

Deploy Lambda for SSO

AWS Single Sign-On (SSO) makes it easy to centrally manage access to multiple AWS accounts and business applications and provide users with single sign-on access to all their assigned accounts and applications from one place.

With AWS SSO, you can create and manage user identities in AWS SSO’s identity store, or easily connect to your existing identity source including Microsoft Active Directory and Azure Active Directory (Azure AD).

AWS Identity Center (SSO) can use other Identity Providers as well, such as Google Apps for Domains. Although AWS SSO supports a subset of the SCIM protocol for populating users, it currently only has support for Azure AD.

This is the reason to use a Lambda project which will pull users and groups from Google and push them into AWS SSO. 

Application settings

Application name
Enter the name of your Application
GoogleAdminEmail
Enter the Google Admin Email
GoogleCredentials
Copy and paste the whole content of the credential json file to this field
IdentityStoreID
Get the ID in the AWS Identity Center (SS)
Region
AWS Region where AWS SSO is enabled
SCIMEndpointAccessToken
SCIM Endpoint Access Token is generated when you enable Automatic provisioning on AWS Identity Provider (SSO)
SCIMEndpointUrl
SCIM Endpoint URL is generated when you enable Automatic provisioning on AWS Identity Provider (SSO)
SSOSyncFunction
Google Workspace group filter query parameter, example: 'name:Admin* email:aws-*', see: https://developers.google.com/admin-sdk/directory/v1/guides/search-groups
GoogleUserMatch
Google Workspace user filter query parameter, example: 'name:John* email:admin*', see: https://developers.google.com/admin-sdk/directory/v1/guides/search-users
IgnoreGroups
Enter “n/a” if you won’t use this parameter
IgnoreUsers
Enter “n/a” if you won’t use this parameter
IncludeGroups
Enter “n/a” if you won’t use this parameter
LogFormat
Enter “n/a” if you won’t use this parameter
LogLevel
Enter “n/a” if you won’t use this parameter
ScheduleExpression
Enter “n/a” if you won’t use this parameter
SyncMethod
Enter “n/a” if you won’t use this parameter

Select “I acknowledge that this app creates custom IAM roles”.

  • Click Deploy.

You have to perform this tutorial to create a service account that you use to sync your users. Save the JSON file you create during the process and rename it to credentials.json.