Google Workspace


In this lab we will walk through how to integrate Google Workspace (formerly G Suite) as an authentication source for AWS Control Tower. Google Workspace Directory it doesn’t natively support SCIM v2 for user and group provisioning. Hence in this lab we will use the natively SAML2 capabilities of Google Workspace Directory and an intermediary lambda function to implement the SCIM v2 provisioning capability.


  • This lab requires an account with Administrator privileges and AWS Control Tower.
  • We will be utilizing an Google Workspace trial account to create our directory and test users for this lab.
  • You’ll want to have picked out (try to select a lowercase alphanumerics):
    • alias (the mailbox/username)
    • domain (a genuine domain you control), so alias@domain

Google Workspace - Quick Setup

Before we can start to configure the lab you’ll need to create a Google Workspace instance, signup here. Details of a 14 day free trial is available here

You’ll need to validate the domain you register for it.

AWS SSO - Service Provider Metadata

In this section we are going to configure AWS SSO to use Google Workspace as an External Identity Provider.

  • On the AWS SSO Dashboard click the Choose your identity source link.
  • In the Identity Source section, in the row Identity Source, click the Change link.
  • Select External Identity Provider
  • in the Service provider metadata section click Download metadata file and save on your computer as aws-sp.xml.
  • Leave this browser tab open, and open a new tab to access your Google Workspace Portal

Google - Create the Amazon Web Services (AWS) App

  • Log into the Google Admin portal
  • Click on the menu
  • Select Apps, SAML apps
  • Click Add a service/App to your domain
  • Step 1
  • Step 2 of 5
    • Option 2
      • Click DOWNLOAD
    • Save to you computer
    • Click NEXT
  • Step 3 of 5
    • Application Name : AWS SSO
    • Description : leave blank
    • Save this AWS logo to a png,
    • Click CHOOSE FILE
    • Select the AWS logo image file
    • Click NEXT
  • Step 4 of 5
    • Entity ID : AWS SSO issuer URL
    • Start URL : AWS SSO Sign-in URL
    • Check Signed Response
    • Name ID : Basic Information : Primary Email
    • Name ID Format : EMAIL
    • Click NEXT
  • Step 5 of 5
    • Click FINISH

AWS SSO - Service Provider Metadata (continued)

  • Switch back to the browser tab On the AWS SSO
  • in the section Identity provider metadata
    • Click Browse and select the GoogleIDPMetadata-domain.xml document you saved above
    • Click Next: Review
  • Review and confirm
    • Review the information provided
    • Type ACCEPT in the field at the bottom
    • click Change Identity source
    • Once the reconfiguration has completed click Return to settings

Google GCP - create Directory Service API

  • Open the Google Developer’s console
  • New Project
    • Project name : SCIM-SSO-sync
    • Location : leave blank
    • Click CREATE
  • You will now be within the project you just created
  • Click in Search for APIs & Services and enter Admin SDK
  • Click ENABLE

Google GCP - Create Service Account

  • Open the Google Developer’s console
  • Select the project you created earlier
  • Create service account
    • Service account name : aws-sso
    • Service account id :
    • Service account description :
    • Click CREATE
  • Service account permissions (optional)
    • Click Continue
  • Grant users access to this service account (optional)
    • Click DONE
  • Service accounts for project “SCIM-SSO-sync”
    • Click on the *i*Actions** option in the row for the service account you just created and click create key
    • In the Create private key for “AWS-SSO” diaogue
      • Select JSON
      • Click CREATE
    • In the Private key saved to your computer
      • Rename the JSON file just downloaded to credentials.json and move to a save place (you’ll need it later in this lab).
      • Click CLOSE
    • Click on the Actions option again and click edit
  • Service account details
    • Check Enable G Suite Domain-wide Delegation
    • Product name for the consent screen : AWS SSO SCIM v2 provisioner
    • Email address : leave as default
    • Click SAVE

Google GCP/Workspace - Delegate domain-wide authority to your service account

  • Open the Google Developer’s console,
  • From the main menu select APIs & Services and then Credentials.
  • In the OAuth 2.0 CLient IDs section
    • Copy the Client ID to your clipboard

  • Open the Google Admin Console
  • From the main menu select security, then API controls
  • In the the Domain wide delegation section, click MANAGE DOMAIN WIDE DELEGATION
  • Domain-wide Delegation
    • Click Add new
  • In the Add a new client ID dialogue
    • Client ID : paste from your clipboard
    • OAuth scopes (comma-delimited) :,,
    • Click Authorize

AWS SSO - Automated Provisioning

  • Switch back to the browser tab On the AWS SSO - Settings
  • Click on the link Enable automatic provisioning
  • You’ll need to copy and paste the following fields into the Amazon Web Services (AWS) | Provisioning form on the tab you left open on the A

AWS Lambda - Deploying the SSO Sync application

  • Open the AWS Console and then lauch the application from the AWS Serverless Application Repository
  • Application settings
    • Application name : ssosync
    • GoogleAdminEmail : your admin user in gsuite
    • GoogleCredentials : the content of credentials.json
    • SCIMEndpointAccessToken : access token from AWS SSO
    • SCIMEndpointUrl : SCIM endpoint from AWS SSO
    • SSOSyncFunction
      • LogFormat : leave as default
      • LogLevel : leave as default
      • ScheduleExpression : leave as default
    • Check I acknowledge that this app creats custom IAM roles.
    • Click Deploy

Google Workspace - Create a Group

We going to create a group to represent our Financial Operations team members, who should have permissions to access billing information on our organisations master payer.

  • One the top ribbon, click the menu and select Directory, then Groups
  • Click Create group
    • click + New group
  • Group information

    • Group details
      • Name : AWSFinOpsUsers
      • Group description : Cross Account Financial Operations Users.
      • Group email : AWSFinOpsUsers @ domain
    • Group owner(s) : your admin user's email address
    • Click Next
  • Group settings

    • Access type
      • Select Team
    • Click Create Group

Google Workspace - Assign Group to App

  • One the top ribbon, click the menu and select Apps, then SAML Apps
  • Click on the App you created earlier.
    • Click Test SAML login
    • Click GRANT ACCESS
  • On the left pane click on Groups, then Search for a group
  • Select AWSFinOpsUsers
  • Service status
    • Service status : Check on
    • Click SAVE

AWS SSO - Check Provisioning

  • Open the AWS console for AWS SSO
  • Click on Users in the left panel, and check that your users have been replicated from the Google Workspace Directoy
  • Click on Groups in the left panel, and check that your groups have been replicated from the Google Workspace Directoy

AWS SSO - Create Permission Set

We’ll now create a permission with appropriate rights for the Financial Operations Team.

  • Switch to the browser tab On the AWS SSO
  • In the left panel, click AWS accounts, and then the Permission sets tab
  • Click Create permission set
  • Create new permission set
    • select Use an existing job function policy
    • Click Billing and click Create
  • Click on Billing in the list of permission sets
  • Billing - Permissions tab

AWS SSO - Assign Group

We now need to give the group (from Google Workspace) AWSFinOpsUsers@domain access to the management account, with the rights defined in permissions set Billing.

  • Switch to the browser tab On the AWS SSO
  • In the left panel, click AWS accounts, and then the AWS organization tab
  • Click Root
  • Check your master account and click Assign users
  • Assign Users
    • Click the Groups tab
    • Check AWSFinOpsUsers
    • Click Next: Permission sets
  • Select permission sets
    • check Billing
    • Click Finish
  • Complete
    • Click Proceed to AWS accounts

AWS SSO - Assign Users

Create an Google Workspace test user

In this section, you’ll create a test user in the Google Workspace Directory.

  • In the Google Workspace admin console, from the main menu, click Directory, Users
  • click add New user on the top menu.
  • New user
    • Select Create user
    • Identity
      • User name : alias@domain
      • Name : your first name your last name
      • First name : your first name
      • Last name : your last name
    • Groups and roles
      • click 0 groups selected
        • select AWSFinOpsUsers
        • click Select
      • Roles : User
    • Settings
      • Block sign in : No
      • Usage location : leave blank
    • job info
      • job title : leave blank
      • Department : leave blank
    • click Create
  • In the list of users, click your first name your last name (the user you just created)
  • click Reset password on the top menu
  • in the righthand menu, click Reset password
  • copy the Temporary password to the clipboard

Explore as our FinOps User

Now we can see what the experience we’ve configured for our test user.

  • Switch to the browser tab On the AWS SSO
  • In the left panel, click Dashboard,
  • Copy the User portal URL:
  • Open a browser window in Private or incognito mode and paste the user portal URL in to the address bar.
  • Browser should redirect you to your Google Workspace log in page,
    • username : alias@domain
    • password : the one you copied to the clipboard
    • you may be asked to provide additional security questions based on your Google Workspace configuration
  • Once successfully logged in you should be return to the AWS Single Sign-On start page
  • Click on AWS Account (1)
    • Click on the name of your master account
    • On the line Billing click the link Management Console
    • A new tab should open and display the Billing & Cost Management Dashboard for your organization.

Deleting AWS resources deployed in this lab

In the Master account:

  • In the AWS SSO Dashboard
    • In the Identity Source section, in the row Identity Source, click the Change link.
    • Change identity source
      • Select AWS SSO,
      • click Next: Review
    • Review and confirm
      • Review the information provided
      • Type CONFIRM in the field at the bottom
      • click Change Identity source
    • Once the reconfiguration has completed click Return to settings
  • In the AWS Cloudformation Dashboard
    • Select the stackset you deployed serverlessrepo-ssosync
    • Click Delete.
  • In the Google Cloud Platform portal

    • Service Account
    • Project
      • On the top menu bar select SCIM-SSO-sync from the drop down list of projects and click Open
      • From the ‘three dots link’ on the menu bar, select Project Settings
      • In the settings screen, click SHUT DOWN
      • In the *Shut down project “SCIM-SSO-sync” dialogue:
        • Project ID : SCIM-SSO-sync
        • click SHUT DOWN
  • In the Google Workspace portal

    • On the main menu, click Apps, then SAML apps
    • Click into the AWS SSO app you created earlier.
    • Click Delete app
    • In the Delete app dialogue, click Delete

*Copyright 2021, Amazon Web Services, All Rights Reserved.*