Before configuring this automation, refer to this article: https://support.google.com/a/answer/7681608?hl=en
Specifically:
About automated user provisioning
Google supports automated user provisioning for many popular cloud applications. With automated user provisioning, you can automatically save changes to user identities in the Google Admin console for all supported apps. Users are synced every few hours.
Automated user provisioning operates on active, suspended, or deleted users only. It doesn't include archived users.
Note: Business Starter and Frontline Starter customers can configure up to 3 apps for automated user provisioning. Business Standard, Business Plus, and Enterprise editions have no provisioning limit.
Configuring a SCIM compliant app in Google Workspace
| These steps must be performed in addition to configuring the SAML2 SSO application for authentication of users. You will need to be logged in to the Google Workspace Admin console as the administrator. You will also need to be logged in to the Security Awareness and Training Service Admin console as the tenant administrator. |
1.) Log in to the Google Workspace Admin Console
2,) From the navigation menu on the left of the screen, select and expand the Apps menu item, then select Web and mobile apps. Under the App app dropdown, click in the Search for apps field:
3) Enter "Amazon Web Services" in the search field and select the Amazon Web Services app:
The Amazon Web Services Identity Provider details page is displayed.
4) Click the CONTINUE button in the lower right quadrant of the screen:
The Service provider details page is displayed.
5) On the Service provider details screen, select the CONTINUE button at the bottom right of the screen:
The Attribute mapping page is displayed:
6) Since we are not using these attributes, you can just map both to the Primary Email attribute:
7) Once you have mapped attributes to the two App atributes, select the FINISH button in the bottom right-hand quadrant of the screen:
The Amazon Web Services app main page is displayed:
7) In the User access section, click on "OFF for everyone" under the View details header:
8.) Seclect the Organization Units that contain users that you want to be provisioned into the service. This will likely match the organizational units or groups you assigned when you configured the Single Sign On SAML app you created for authentication.
For each organizational unit or group you want assigned, after selecting, click the ON for everyone option button, then select the Save button.
9.) Once all the Organizational units or groups are added, return to the app main page by selecting the app name in the path at the top of the frame:
The Amazon Web Services app main page is displayed:
10) In the Autoprovisioning section, click on the Configure autoprovisioning link:
The Set up autoprovisioning for Amazon Web Services wizard is displayed:
To obtain the access token for App authorization, you must log in to the Security Awareness and Training Service as the tenant administrator. (This is the account that logs in to initialize the service and manage licenses from https://support.fortinet.com).
11) Log in to the Security Awareness and Training Service as the tenant administrator.
12) Select My profile from the user menu in the lower left corner of the service interface:
The My profile page is displayed:
13) In the Create API Token section, give the token a meaningful name (e.g. Security Awareness SCIM Token), ensure that the SCIM permission checkbox is checked, and select the Generate button:
The API Token dialogue is presented.
14) Click the Copy button to copy the token:
15) Paste the token into the App autorization token field in Google Workspace and select CONTINUE:
The Endpoint URL page is displayed:
16) In the Security Awareness and Training Service Administration interface, select Users from the navigation menu, then select the Manage domains and users button in the upper right-hand corner:
The Manage domains and users page is displayed:
17) Select the SCIM provisioning tab:
The SCIM provisioning page is displayed:
18) Click the copy button to copy the SCIM URL:
19) Return to the Endpoint URL page in Google Workspace and paste the url into the Endpoint URL field and select CONTINUE:
The Attribute mapping page is displayed.
20) The following settings should already be mapped, except the the Manager ID:
| Google Directory Attributes | App Attributes (SCIM standard) |
Basic Information > First name | name.givenName |
| Basic Information > Last name | name.familyName |
| Contact Information > Email > Value | emails.value |
| Employee Details > Department | urn:ietf:params:scim:schemas:extension:enterprise:2.0:User.department |
| Employee Details > Title | title |
| Employee Details > Manager ID (optional) | urn:ietf:params:scim:schemas:extension:enterprise:2.0:User.manager.value |
Map the manager ID:
The mappings should align with the attributes listed in the table above. While additional, unnecessary attributes will also be sent, they will only consume bandwidth and can be disregarded.
21) Click the CONTINUE button at the bottom of the screen
The Provisioning scope (optional) page is displayed:
22) Click the CONTINUE button at the bottom of the screen
The Deprovisioning screen is displayed:
23) Make any desired changes to the Deprovisioning settings, then click the FINISH button at the botton of the screen.
You are returned to the main app page.
24) Turn on the Autoprovisioning option button:
You will be presented with a confirmation message:
25) Select the TURN ON option.
| The SCIM push in Google Workspace appears to be event-based but includes an unclear delay. Google Workspace does not expose its sync schedule. You may need to wait to see the users begin to sync to the Security Awareness and Training Service. |
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article