Google Workspace syncer
The Google Workspace syncer imports users from Google Workspace (formerly G Suite) into Casdoor using the Google Admin SDK Directory API.
Prerequisites
Set up a Google Cloud service account with domain-wide delegation and the Admin SDK enabled before configuring the syncer.
Step 1: Create a Service Account
Navigate to Google Cloud Console and create a service account:
- Go to IAM & Admin → Service Accounts → Create Service Account
- Enter a name and description for the service account
- Click Create and Continue
- Grant the service account the Service Account User role (optional)
- Click Done
Step 2: Generate a Service Account Key
After creating the service account, generate a JSON key:
- Click on the service account you just created
- Go to the Keys tab
- Click Add Key → Create new key
- Select JSON format
- Click Create and save the downloaded JSON file securely
Step 3: Enable Admin SDK API
Enable the Admin SDK API for your Google Cloud project:
- Go to APIs & Services → Library
- Search for "Admin SDK API"
- Click on it and click Enable
Step 4: Configure Domain-Wide Delegation
Set up domain-wide delegation in Google Workspace Admin:
- In the service account details, copy the Client ID
- Go to Google Workspace Admin Console
- Navigate to Security → Access and data control → API controls
- Click Manage Domain Wide Delegation
- Click Add new
- Paste the service account Client ID
- Add the OAuth scope:
https://www.googleapis.com/auth/admin.directory.user.readonly - Click Authorize
The admin.directory.user.readonly scope allows the syncer to read user profiles in your Google Workspace domain in read-only mode.
Configuration
To create a Google Workspace syncer in Casdoor:
- Navigate to the Syncers tab
- Click Add to create a new syncer
- Fill in the following required fields:
| Field | Description |
|---|---|
| Organization | The Casdoor organization where users will be imported |
| Name | A unique identifier for this syncer |
| Type | Select "Google Workspace" |
| Admin Email | Email address of a Google Workspace admin user (e.g., admin@yourdomain.com) |
| Service Account Key | Paste the complete JSON content of the service account key file |
Leave database-related fields (Database type, Port, Database, Table) empty for the Google Workspace syncer.
Field Mappings
The syncer automatically maps Google Workspace user attributes to Casdoor user fields:
| Google Workspace Field | Casdoor Field | Description |
|---|---|---|
| id | Id | User's unique identifier |
| primaryEmail | Primary email address | |
| name.fullName | Name | Full name |
| name.givenName | FirstName | First name |
| name.familyName | LastName | Last name |
| phones[0].value | Phone | Primary phone number |
| isAdmin | IsAdmin | Admin status |
| suspended | IsForbidden | Account suspension status |
Google Workspace suspended: true is mapped to Casdoor IsForbidden: true.
Group sync
The Google Workspace syncer can also sync groups and their memberships into Casdoor. Group sync runs automatically alongside user sync—there is no separate configuration step.
To enable group syncing, the service account needs an additional OAuth scope granted in the Google Workspace Admin Console:
https://www.googleapis.com/auth/admin.directory.group.readonly
Add this scope under Manage Domain Wide Delegation in the same way as the user scope. Once it is authorized, the syncer will fetch all groups from the domain and assign memberships to the corresponding Casdoor users.
Running the syncer
- Click Test Connection to verify credentials and permissions.
- Toggle Is enabled and click Sync for an immediate run.
- The syncer fetches all users and groups from the domain and handles pagination automatically.