You can configure Opal to integrate with your identity provider (IDP) system. This enables Opal to import information about employees such as their managers, as well as to revoke user access when their account is terminated in the IDP system.

Getting Started

On the left hand side, click Admin and navigate to the Identity Provider integration under the Integrations section. Click Connect.

On the resulting page, click Connect under the Google logo.

Step 1 - Create a Google identity provider service account

You will need to create a service account in your Google workspace to create the Google identity provider integration. It is possible you may have already created a service account when adding a Google Groups or Google Cloud connection: if so, you can potentially reuse the same service account and its associated Service Account Credentials JSON from those connections. If you go to this route, you will need to record the Client ID of the service account you want to use, which can be found by navigating to this link, clicking on the project of interest, and clicking View Client ID in the Domain wide delegation column of the resulting table.

If you want to create a new service account, you can follow the instructions below:

First navigate to the Google Cloud console with your Google super administrator account, and follow all instructions in Step 4 of the link here. Importantly, you will need to store two pieces of information: 1. The JSON file that should have downloaded when you created a key with the service account, and 2. The Client ID of the service account you created, which should appear after you check the Enable Google Workspace Domain-wide Delegation box.

Step 2 - Enable service account with appropriate permissions

Navigate to the Google Admin page and click on Security, then API Controls on the left sidebar. Then scroll down and click Manage Domain Wide Delegation. In the API Clients table click Add new and then input the Client ID from the previous section, as well as the https://www.googleapis.com/auth/admin.directory.user.readonly Oauth scope; then click Authorize.

Step 3 - Record the customer ID

Follow the instructions here to record your Google Workspace Customer ID.

Complete Input Form

You are now ready to fill out the connection creation form in the Opal UI. Input the customer ID from Step 3 in the previous section, input the Google Workspace admin email with the super administrator email associated with your Google Workspace account, and finally upload the JSON service account credentials file.

After you have completed these steps, Opal is ready to sync with your Google Identity Provider!

Did this answer your question?