title: Connect Google Workspace category: Connections tags: google workspace, connector, directory sync priority: High
Connect Google Workspace
This guide walks you through connecting your Google Workspace directory to Certification Center so you can pull users and groups into your isolated cloud workspace, spot orphaned or duplicate accounts, and include Google Workspace access in your certification campaigns. Certification Center is cloud SaaS, so there is nothing to install: you authorize a read-only connection from your workspace to Google.
The connection reads your directory over Google's Admin SDK Directory API. It starts read-only. Write-back (for example, suspending an account when a reviewer revokes access) is optional and off until you turn it on.
Prerequisites
- A Certification Center workspace (see Sign up and connect your first directory in 5 minutes)
- Super Admin access to your Google Workspace Admin console, or help from someone who has it
- Access to the Google Cloud console to create a project and a service account
- A few minutes to authorize domain-wide read access
How the Google Workspace connector authenticates
Google Workspace does not use LDAP. Certification Center connects using a Google service account that has been granted domain-wide delegation for a small set of read-only directory scopes. In plain terms: you create a service account, you tell Google Workspace to trust that service account for reading directory data, and you give Certification Center the service account key so it can sign in as that identity.
This keeps the connection least-privilege: the service account can read the directory, and nothing more, until you decide to enable write-back.
Step 1: Create a service account in Google Cloud
- Sign in to the Google Cloud console
- Create a new project (or reuse an existing one) for the connection
- Enable the Admin SDK API for that project
- Go to IAM & Admin > Service Accounts and create a new service account
| Field | What to enter |
|---|---|
| Name | A descriptive name such as Certification Center Sync |
| Description | Read-only directory sync for Certification Center |
| Roles | None required at the project level for directory reads |
- Open the service account and create a JSON key
- Download the key file and keep it somewhere safe. You will paste its contents into Certification Center in Step 3
Step 2: Grant domain-wide read access in the Admin console
- Copy the service account's Client ID (a long numeric value shown on the service account page)
- Sign in to the Google Admin console as a Super Admin
- Go to Security > Access and data control > API controls > Domain-wide delegation
- Add a new API client using the service account Client ID and authorize these read-only scopes:
| Scope | Purpose |
|---|---|
https://www.googleapis.com/auth/admin.directory.user.readonly |
Read user accounts and profiles |
https://www.googleapis.com/auth/admin.directory.group.readonly |
Read groups and membership |
https://www.googleapis.com/auth/admin.directory.orgunit.readonly |
Read organizational units |
Grant only the read-only scopes for your first sync. You can widen scope later if you decide to enable write-back.
Step 3: Create the connection in Certification Center
- Sign in to your Certification Center workspace as an administrator
- Go to Connections and choose to add a connection
- Select Google Workspace as the directory type
- Provide the connection details:
| Field | Value |
|---|---|
| Name | A descriptive name such as Corporate Google Workspace |
| Service account key | Paste the contents of the JSON key from Step 1 |
| Admin email to impersonate | A Super Admin address the service account acts on behalf of |
| Access mode | Read-only for the first sync |
- Save the connection
Step 4: Test and run the first sync
- Use Test connection to confirm Certification Center can authenticate and read a small sample of users
- Resolve any errors (see Troubleshooting below) before continuing
- Run the first sync to pull users, groups, and org units into your workspace
- Review the results: Certification Center highlights orphaned accounts (for example, accounts with no matching person) and duplicate identities across your connected directories
Write-back (optional)
Write-back lets a certification decision flow back to Google Workspace, such as suspending a user when a reviewer revokes their access. It is off by default. To enable it, add the matching read-write scope for the objects you want to act on and switch the connection's access mode to allow write-back. Keep it read-only until you have a reason to turn it on.
Required permissions at a glance
| Item | Least-privilege setting |
|---|---|
| Service account roles | None needed for read-only directory sync |
| Delegated scopes | The three *.readonly directory scopes above |
| Impersonated admin | A Super Admin used only to authorize directory reads |
| Write-back | Off until explicitly enabled |
Troubleshooting
- unauthorized_client / access denied — The service account Client ID or a scope is missing from domain-wide delegation. Re-check Step 2 and make sure each scope string matches exactly.
- Invalid impersonation / caller does not have permission — The impersonated admin email is wrong or lacks admin rights. Use a valid Super Admin address.
- API not enabled — Enable the Admin SDK API on the Google Cloud project from Step 1.
- No users returned — Delegation can take a few minutes to propagate. Wait and re-test.
- For a broader symptom list, see Troubleshooting cloud directory connections.