--- title: Creating a Google Workspace connection description: Use a Google Workspace connection to enable provisioning from PingOne to the Google Workspace user directory. component: pingone page_id: pingone:integrations:p1_create_google_workspace_connection canonical_url: https://docs.pingidentity.com/pingone/integrations/p1_create_google_workspace_connection.html revdate: June 4, 2025 page_aliases: ["p1_google_find_application_details.adoc", "p1_google_workspace_attribute_mapping.adoc", "p1_google_workspace_limitations.adoc"] section_ids: before-you-begin: Before you begin steps: Steps result: Result: result-2: Result: troubleshooting: Troubleshooting: result-3: Result next-steps: Next steps p1_google_application: Finding Google application details steps-2: Steps p1_google_attribute_mapping: Google Workspace attribute mapping p1_google_limitation: Google Workspace provisioning known limitations --- # Creating a Google Workspace connection Use a Google Workspace connection to enable provisioning from PingOne to the Google Workspace user directory. ## Before you begin Make sure you have: * Reviewed the [Google Cloud documentation](https://cloud.google.com/docs). * A Google Workspace project. You can find more information in the [Google Cloud admin console](https://console.cloud.google.com). * Details for the connected application, such as application name, domain, OAuth client ID, and client secret. Learn more in [Finding Google application details](#p1_google_application). * Reviewed the [Google Workspace provisioning known limitations](#p1_google_limitation). ## Steps 1. In the PingOne admin console, go to **Integrations > Provisioning**. 2. Click **[icon: plus, set=fa]**and then click **New Connection**. 3. On the **Identity Store** line, click **Select**. 4. On the **Google Workspace** tile, click **Select**. Click **Next**. 5. Enter a name and description for the provisioning connection. ### Result: The connection name appears in the provisioning list after you save the connection. 6. Click **Next**. 7. In the **Configure Authentication** section, enter the values for the following fields: | | | | - | ------------------------------------------------------------------------------------------------------------------------------------ | | | You can find the values on the Google Developer console. Learn more in [Finding Google application details](#p1_google_application). | | Field | Value | | ----------------------- | -------------------------------------------------------------- | | **Application Name** | The name of the connected application. | | **Domain** | The fully qualified domain name for the connected application. | | **OAuth client ID** | The application ID for the connected application. | | **OAuth Client Secret** | The application secret for the connected application. | | **OAuth Access Token** | The access token for the connected application. | | **OAuth Refresh Token** | The refresh token for the connected application. | 8. Click **Test Connection** to verify that PingOne can establish a connection to Google Workspace. ### Result: If there are any issues with the connection, a **Test Connection Failed** modal opens. Click **Next** to resume the setup with an invalid connection. | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | You can't use the connection for provisioning until you've established a valid connection to Google Workspace. To retry, click **Cancel** in the **Test Connection Failed** modal and repeat step 7. | ### Troubleshooting: Learn more about troubleshooting your connection in [Troubleshooting test connection failure](p1_provisioning_troubleshooting_test_connection_failure.html). 9. In the **Configure Preferences** and **Users Actions** sections, configure the following: | Field | Description | | ---------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Enable users creation** | Determines whether to create a user in the target identity store when the user is created in the source identity store. | | **Enable users updation** | Determines whether to update user attributes in the target identity store when the user is updated in the source identity store.If **Enable users updation** is selected, you can choose to select **Enable users disable** which determines whether to disable a user in the target identity store when the user is disabled in the source identity store. | | **Enable users deprovision** | Determines whether to deprovision a user in the target identity store when the user is deprovisioned in the source identity store.If Enable users deprovision is selected, the following configurations appear.- **Remove Action**: Determines whether to remove or disable a user in the target identity store when the user is deleted in the source identity store. Select **Delete** or **Disable**. Remove Action is only available if you select Enable users disable. - **Deprovision on rule deletion**: Determines whether to deprovision users if the associated provisioning rule is deleted. | 10. Click **Save**. 11. To enable the connection, click the toggle at the top of the details panel to the right (blue). | | | | - | ------------------------------------------------------------------------- | | | You can disable the connection by clicking the toggle to the left (gray). | ## Result The Google Workspace provisioning connection is complete and added to the list of provisioning connections on the **Provisioning** page. ## Next steps Sync group members out of PingOne into a software as a service (SaaS) application. Learn more in [Configuring outbound group provisioning](p1_provisioning_configuring_outbound_group_provisioning.html). ## Finding Google application details Use the Google Developer Console to find the details for your connected application, such as client ID, client secret, access token, and refresh token. ### Steps 1. Go to the [Google Developer Console](https://console.developers.google.com). 2. In the projects list, select a project or create a new one. 3. In the **Search** field, enter `Google Workspace`. 4. On the left navigation pane, click **Credentials**. 5. Under **OAuth 2.0 Client IDs**, click the appropriate application. 6. In the OAuth client window, copy the client ID and client secret to a secure location. You can always access the client ID and client secret from the **Credentials** page later if needed. ## Google Workspace attribute mapping The following table lists common Google Workspace user attributes that can be mapped to PingOne user attributes for user provisioning. | Attribute | Description | | ----------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `Family Name` | The user's last name. | | `Given Name` | The user's first name. | | `Email Address` | The user's email address. | | `Password` | The user's password. | | `!enabled` | This attribute is used to maintain the status of the user account in Google Workspace. If the user is enabled in PingOne, then the sync enables the user in Google Workspace. If the user is disabled in PingOne, then the sync disables the user in Google Workspace. | | For outbound provisioning to Google Workspace, you must map the addressFormatted attribute for the user's address to appear in the Google Admin portal. | | ## Google Workspace provisioning known limitations The following are known issues or limitations with Google Workspace user provisioning. * You can clear user attributes after setting them by sending an empty string value `onUpdate`. * If a PingOne user has an invalid `addressCountry` value, Google Workspace might not provision the user properly. * Changes to user attributes can take a few minutes to propagate to Google Workspace. However, in some cases, changes can take up to 24 hours to take effect. For more information, see [How changes propagate to Google services](https://support.google.com/a/answer/7514107). * The `isAdmin` property can only be edited in the [Make a user an administrator](https://developers.google.com/admin-sdk/directory/v1/guides/manage-users?authuser=2#make_admin) operation ([makeAdmin](https://developers.google.com/admin-sdk/directory/v1/reference/users/makeAdmin?authuser=2) method). If the property is edited in the user [insert](https://developers.google.com/admin-sdk/directory/v1/reference/users/insert?authuser=2) or [update](https://developers.google.com/admin-sdk/directory/v1/reference/users/update?authuser=2) methods, the edit is ignored by the Google API service. * When there is an existing group in Google with the same email ID and one member and PingOne has the same group with a different member, both the existing members and the new member are in Google after Provisioning. * An update in membership in PingOne doesn't recreate a synced deleted group from Google.