Hanzo
PlatformHanzo IAMSyncer

Google Workspace syncer

Sync users from Google Workspace to Hanzo IAM via the Admin SDK Directory API.

The Google Workspace syncer imports users from Google Workspace (formerly G Suite) into Hanzo IAM using the Google Admin SDK Directory API.

Prerequisites

Set up a Google Cloud service account with domain-wide delegation and the Admin SDK enabled before configuring the syncer.

Step 1: Create a Service Account

Navigate to Google Cloud Console and create a service account:

  1. Go to IAM & AdminService AccountsCreate Service Account
  2. Enter a name and description for the service account
  3. Click Create and Continue
  4. Grant the service account the Service Account User role (optional)
  5. Click Done

Step 2: Generate a Service Account Key

After creating the service account, generate a JSON key:

  1. Click on the service account you just created
  2. Go to the Keys tab
  3. Click Add KeyCreate new key
  4. Select JSON format
  5. Click Create and save the downloaded JSON file securely

Step 3: Enable Admin SDK API

Enable the Admin SDK API for your Google Cloud project:

  1. Go to APIs & ServicesLibrary
  2. Search for "Admin SDK API"
  3. Click on it and click Enable

Step 4: Configure Domain-Wide Delegation

Set up domain-wide delegation in Google Workspace Admin:

  1. In the service account details, copy the Client ID
  2. Go to Google Workspace Admin Console
  3. Navigate to SecurityAccess and data controlAPI controls
  4. Click Manage Domain Wide Delegation
  5. Click Add new
  6. Paste the service account Client ID
  7. Add the OAuth scope: https://www.googleapis.com/auth/admin.directory.user.readonly
  8. Click Authorize

:::tip

The admin.directory.user.readonly scope allows the syncer to read user profiles in your Google Workspace domain in read-only mode.

:::

Configuration

To create a Google Workspace syncer in Hanzo IAM:

  1. Navigate to the Syncers tab
  2. Click Add to create a new syncer
  3. Fill in the following required fields:
FieldDescription
OrganizationThe Hanzo IAM organization where users will be imported
NameA unique identifier for this syncer
TypeSelect "Google Workspace"
Admin EmailEmail address of a Google Workspace admin user (e.g., admin@yourdomain.com)
Service Account KeyPaste the complete JSON content of the service account key file

Leave database-related fields (Database type, Port, Database, Table) empty for the Google Workspace syncer.

Field Mappings

The syncer automatically maps Google Workspace user attributes to Hanzo IAM user fields:

Google Workspace FieldHanzo IAM FieldDescription
idIdUser's unique identifier
primaryEmailEmailPrimary email address
name.fullNameNameFull name
name.givenNameFirstNameFirst name
name.familyNameLastNameLast name
phones[0].valuePhonePrimary phone number
isAdminIsAdminAdmin status
suspendedIsForbiddenAccount suspension status

:::info Google Workspace suspended: true is mapped to Hanzo IAM IsForbidden: true. :::

Running the syncer

  1. Click Test Connection to verify credentials and permissions.
  2. Toggle Is enabled and click Sync for an immediate run.
  3. The syncer fetches all users from the domain and handles pagination automatically.

How is this guide?

Last updated on

Active Directory syncer

Sync users from Microsoft Active Directory to Hanzo IAM via LDAP/LDAPS.

Keycloak syncer

Sync users from Keycloak to Hanzo IAM with automatic schema mapping.

On this page

Prerequisites
Step 1: Create a Service Account
Step 2: Generate a Service Account Key
Step 3: Enable Admin SDK API
Step 4: Configure Domain-Wide Delegation
Configuration
Field Mappings
Running the syncer