When using Google for SSO, configuring external group mapping requires additional steps.
This guide explains how to configure both your Google Workspace and Streamvisor.
First check what edition of Google Workspace you are using.
If your Google Workspace edition supports the Cloud Identity API, you will be able to query transitive group membership.
If your Google Workspace edition does not support the Cloud Identity API, you will only be able to query direct group membership.
Depending on your edition of Google Workspace, enable one of the supported APIs:
a) Select Cloud Identity API in the API Library, and click on Enable to support transitive group membership.
b) Select Admin SDK API in the API Library, and click on Enable to support direct group membership.
If you are not sure what to choose, consult the documentation of the API library to ensure you have a supported edition of Google Workspace.
To create a service account, click IAM & Admin and select Service Accounts.
Click Create a service account.
Enter a name and description for this service account and click Create and continue then Done.
The service account is now added to the current project. Click on the service account to view its details.
Copy the Unique ID of the service account, you will need it later.
Click on the Keys tab, then Add key and Create new key.
Select JSON as the key type and click Create.
A JSON file will be downloaded with contents similar to this:
{
"type": "service_account",
"project_id": "your-google-project-xxxx",
"private_key_id": "dfnjksf9332r23ml32e",
"private_key": "-----BEGIN PRIVATE KEY-----\n000000000000000000\n-----END PRIVATE KEY-----\n",
"client_email": "streamvisor-groupmapper-sa@your-google-project-xxxx.iam.gserviceaccount.com",
"client_id": "1000000000000000003",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/streamvisor-groupmapper-sa%40your-google-project-xxxx.iam.gserviceaccount.com",
"universe_domain": "googleapis.com"
}
This file will be needed to configure Streamvisor later.
Open the Google Admin Console and go to Manage domain-wide delegation.
Click Add new and paste the unique ID that you copied from the service account in step 3.
Depending on your edition of Google Workspace, add one of the following scopes:
a) For transitive and direct group membership, add https://www.googleapis.com/auth/cloud-identity.groups.readonly
b) For only direct group membership, add https://www.googleapis.com/auth/admin.directory.group.readonly
Click Authorize.
Make sure you have configured Google as an SSO provider in Streamvisor (please refer to the SSO Guide).
Additionally, to map external groups from Google Workspace, the following properties need to be set:
# Filepath of the JSON file downloaded in step 3
streamvisor.sso.oauth.providers.google.options.serviceaccountfilepath=/path/to/streamvisor-groupmapper-sa.json
# Email of the Google Workspace administrator that will be impersonated by the service account
streamvisor.sso.oauth.providers.google.options.workspaceadminemail=my-workspace-admin@example.com