Docs / Identity / Google Workspace
Google Workspace integration
Use Google Workspace as OIDC identity authority, then map roles and sync directory data into Gvner.
1. Register Google provider (OIDC)
In Google Cloud Console, create an OAuth client for your Gvner deployment and collect the client ID.
POST /sso/providers
{
"tenant_id": "acme",
"provider_id": "google-workspace",
"provider_type": "oidc",
"issuer": "https://accounts.google.com",
"client_id": "<google_oauth_client_id>",
"metadata_url": "https://accounts.google.com/.well-known/openid-configuration",
"enabled": true,
"test_secret": "<temporary_test_secret>"
}
2. Map external groups to Gvner roles
Create role
POST /identity/roles
{
"tenant_id": "acme",
"role_id": "gw_admin",
"allowed_capabilities": ["manage_tenant", "define_policy", "view_audit"]
}
Map Google group
POST /identity/role-map
{
"tenant_id": "acme",
"external_role": "gvner-admins@yourdomain.com",
"role_id": "gw_admin"
}
3. Issue governed SSO session
POST /sso/session
{
"tenant_id": "acme",
"provider_id": "google-workspace",
"subject": "user@yourdomain.com",
"email": "user@yourdomain.com",
"roles": ["gvner-admins@yourdomain.com"],
"sso_token": "<temporary_test_secret>",
"mfa_ok": true
}
Returns
200 and sets GUVNA_SESSION cookie.Session issuance is written to identity audit trail.
4. Sync directory data
Use your Google directory export/connector to upsert users and groups into Gvner.
Upsert user
POST /scim/users
{
"tenant_id": "acme",
"user_id": "user@yourdomain.com",
"email": "user@yourdomain.com",
"display_name": "Example User",
"active": true,
"groups": ["gvner-admins@yourdomain.com"]
}
Upsert group
POST /scim/groups
{
"tenant_id": "acme",
"group_id": "gvner-admins@yourdomain.com",
"display_name": "Gvner Admins",
"members": ["user@yourdomain.com"]
}
5. Validate in console
/console/identity/sso/ — provider appears and enabled./console/identity/scim/ — users/groups listed./console/identity/sessions/ — SSO sessions visible./console/identity/ledger/ — provider, session, and SCIM sync events in audit.