Updated Google workspace self-hosted IdP guide (#99)

netbirdio · Oct 4, 2023 · 6995e10 · 6995e10
1 parent 0609358
commit 6995e10
Show file tree

Hide file tree

Showing 7 changed files with 22 additions and 9 deletions.
diff --git a/...s-static/img/integrations/identity-providers/self-hosted/google-assign-role.png b/...s-static/img/integrations/identity-providers/self-hosted/google-assign-role.png
diff --git a/.../integrations/identity-providers/self-hosted/google-domain-delegation-added.png b/.../integrations/identity-providers/self-hosted/google-domain-delegation-added.png
diff --git a/...mg/integrations/identity-providers/self-hosted/google-new-domain-delegation.png b/...mg/integrations/identity-providers/self-hosted/google-new-domain-delegation.png
diff --git a/...static/img/integrations/identity-providers/self-hosted/google-new-role-info.png b/...static/img/integrations/identity-providers/self-hosted/google-new-role-info.png
diff --git a/...ic/img/integrations/identity-providers/self-hosted/google-privileges-review.png b/...ic/img/integrations/identity-providers/self-hosted/google-privileges-review.png
diff --git a/...tegrations/identity-providers/self-hosted/google-service-account-privileges.png b/...tegrations/identity-providers/self-hosted/google-service-account-privileges.png
diff --git a/src/pages/selfhosted/identity-providers.mdx b/src/pages/selfhosted/identity-providers.mdx
@@ -923,19 +923,32 @@ Read how to manage and secure your service keys [here](https://cloud.google.com/
 
 - Open downloaded json file and take note of `client_id` will be used later as `Service Account Client ID`
 
-#### Step 5: Granting service account access to organization data
+#### Step 5: Grant user management admin role to service account
 - Navigate to [Admin Console](https://admin.google.com/ac/home) page
-- Select `Security` > `Access and data control` > `API controls` and then click `MANAGE DOMAIN WIDE DELEGATION`
-- Click `Add new`
-- Fill in the form with the following values
-    - Client ID: `<Service Account Client ID>`
-    - OAuth scopes: `https://www.googleapis.com/auth/admin.directory.user.readonly`
+- Select `Account` on the left menu and then click `Admin Roles`
+- Click `Create new role`
+- Fill in the form with the following values and click `CREATE`
+    - name: `User Management ReadOnly`
+    - description: `User Management ReadOnly`
+- Click `CONTINUE`
+<p>
+    <img src="/docs-static/img/integrations/identity-providers/self-hosted/google-new-role-info.png" alt="high-level-dia" class="imagewrapper"/>
+</p>
+
+- Scroll down to `Admin API privileges` and add the following privileges
+    - Users: `Read`
+- Click `CONTINUE`
+<p>
+    <img src="/docs-static/img/integrations/identity-providers/self-hosted/google-privileges-review.png" alt="high-level-dia" class="imagewrapper"/>
+</p>
+- Verify preview of assigned Admin API privileges to ensure that everything is properly configured, and then click `CREATE ROLE`
+- Click `Assign service accounts`, add service account email address and then click `ADD`
 <p>
-    <img src="/docs-static/img/integrations/identity-providers/self-hosted/google-new-domain-delegation.png" alt="high-level-dia" class="imagewrapper"/>
+    <img src="/docs-static/img/integrations/identity-providers/self-hosted/google-assign-role.png" alt="high-level-dia" class="imagewrapper"/>
 </p>
-- Click `AUTHORIZE`
+- Click `ASSIGN ROLE` to assign service account to `User Management ReadOnly` role
 <p>
-    <img src="/docs-static/img/integrations/identity-providers/self-hosted/google-domain-delegation-added.png" alt="high-level-dia" class="imagewrapper"/>
+    <img src="/docs-static/img/integrations/identity-providers/self-hosted/google-service-account-privileges.png" alt="high-level-dia" class="imagewrapper"/>
 </p>
 
 - Navigate to [Account Settings](https://admin.google.com/ac/accountsettings/profile?hl=en_US) page and take note of `Customer ID`