How to Sync Google Workspace Users and Groups to Auth0 with Directory Sync

Google Workspace Directory Sync for Groups is currently available in Early Access.By using this feature, you agree to the applicable Free Trial terms in Okta’s Master Subscription Agreement. To learn more about Auth0’s product release cycle, read Product Release Stages.

Enabling Directory Sync for your Google Workspace enterprise connection lets you synchronize the user profiles, group structures, and group membership from Google Workspace to Auth0. You can synchronize automatically or manually:

Automatic synchronization runs every 30 minutes after the last sync completes.
Manual synchronization runs when you trigger it.

Enable Directory Sync

You can enable Directory Sync using the Auth0 Dashboard or the Management API.

Auth0 Dashboard
Management API

Prerequisites

Before you begin, you must have:

A Google Workspace enterprise connection in Auth0
Administrator privileges on the Google Workspace organization.

Enable the admin directory API for your enterprise connection

To enable directory sync, the Google access token for your Google Workspace enterprise connection must have the the appropriate scopes to access Google’s APIs.On the Settings tab of an existing Google Workspace enterprise connection (or when creating new connection), in the Identity Provider API section, select Use Admin Directory API and choose:

Users scopes to add scopes only to access users.
Users and Groups scopes to add scopes to access both users and groups.

When using Directory Sync, we also recommend disabling Sync User Profile Attributes at Login in this section to avoid conflicting updates from multiple sync methods.

Click Save Changes.

Verify Google administrator consent

From Auth0 Dashboard > Authentication > Enterprise, open your Google Workspace connection. On the Setup tab, either:

Follow the Continue link if you have admin permissions to configure your Google Workspace settings to use Google’s Admin APIs, or
Provide the given URL to your administrator so that they can adjust the required settings

Enable Directory Sync

On the Provisioning tab of your connection, toggle Provision Users Using Directory Sync. and choose the your configuration options:

In Resources, choose whether to sync Users or Users and Groups.

TODO here

UI for group selection. You can get a list of group IDs using the Google Workspace Directory API.

In Schedule, optionally check Enable Automatic Synchronization to automatically sync every 30 minutes. You can trigger a manual synchronization by selecting Synchronize now.
In Attribute Mapping, you can customize the mapping of Google attributes to Auth0 user profile attributes.

Prerequisites

Before you begin, you must have:

A Google Workspace enterprise connection in Auth0
Administrator privileges on the Google Workspace organization.
A Management API access token with the following scopes:
- create:directory_provisionings
- read:directory_provisionings
- update:directory_provisionings
- delete:directory_provisionings
Your Google Workspace connection ID (CONNECTION_ID).

Enable the admin directory API for your enterprise connection

When creating a new Google Workspace enterprise connection using the Create a connection endpoint (POST /v2/connections), or when modifying an existing enterprise connection using the Update a connection endpoint (PATCH /v2/connections/{id}), set the following body parameters:

option.api_enable_users to true to add scopes to access users.
option.api_enable_groups to true to additionally add scopes to access groups. Group access requires user access.

When using Directory Sync, we recommend disabling syncing user profiles on login (setting options.set_user_root_attributes to never_on_login) to avoid conflicting updates from multiple sync methods.

Verify Google administrator consent

From Auth0 Dashboard > Authentication > Enterprise, open your Google Workspace connection. On the Setup tab, either:

Follow the Continue link if you have admin permissions to configure your Google Workspace settings to use Google’s Admin APIs, or
Provide the given URL to your administrator so that they can adjust the required settings

Enable Directory Sync

Enable Directory Sync with the Create a directory provisioning configuration endpoint (POST /v2/connections/{id}/directory-provisioning), or update an existing Directory Sync configuration with the Patch a directory provisioning configuration endpoint (PATCH /v2/connections/{id}/directory-provisioning), and use the following request body parameters:

mapping to define the mapping of Google attributes to Auth0 user profile attributes.
synchronize_automatically set to true to automatically sync every 30 minutes or false to disable automatic synchronization.
synchronize_groups set to one of:
- all to synchronize all groups in addition to users
- selected to synchronize only the groups you specify
- off to synchronize only users

If you choose to synchronize only selected groups, you additionally need to specify the groups to synchronize.First, get a list of group IDs using the Google Workspace Directory API.

TODO here

Then use the Management API’s Configure groups to synchronize endpoint (PUT /v2/connections/{id}/directory-provisioning/synchronized-groups) with the request body parameter as a list of group IDs for the groups you want to synchronize:

"groups" [
    {
        "id": "example-id-string",
    },
    {
        "id": "example-id-string-2",
    },
    {
        "id": "example-id-string-3",
    }
]

To trigger a manual sync, use the Create a directory provisioning configuration endpoint.

Monitor Directory Sync activity

You can monitor sync activity in Auth0 tenant logs the under Directory Sync Started and Directory Sync Completed log types (event codes directory_sync_started and directory_sync_completed).

Limits

Synchronizing manually within 30 minutes of the last completed sync returns a 400 error. Wait at least 30 minutes before synchronizing again.

Add Login

Provision Users

​Enable Directory Sync

​Monitor Directory Sync activity

​Limits

Enable Directory Sync

Monitor Directory Sync activity

Limits