You can set up automated user provisioning (autoprovisioning) so that any changes you make to user accounts in Google Workspace are automatically synced with this third-party app.
Automated user provisioning operates only on active, suspended, or deleted users. It doesn't include archived users.
Before you begin: Set up SSO for this app
Get the API access token and endpoint URL for the Amazon Web Services application- Sign in to your Amazon Web Services Console at https://console.aws.amazon.com.
- At top left, click ServicesAll ServicesIAM Identity Center (successor to AWS Single Sign-On). Alternatively, you can search for IAM Identity Center using the search box.
- From the Dashboard, under Recommended setup steps, click Step 1, Choose your identity source.
- On the Settings page, in the Identity source section, click ActionsChange identity source.
- Under Choose identity source, select External identity provider.
- Click Next.
- Under Identity provider metadata, go to IdP SAML metadata and click Choose file.
- Upload the IDP Metadata (GoogleIDPMetadata.xml) that you downloaded when you set up SSO for this app, then click Next.
- On the Confirm change page, scroll down to Review and confirm and enter ACCEPT in the entry field.
- Click Change identity source.
This completes auto-provisioning configuration and returns you to the Settings page. - In the Automatic provisioning section, click Enable.
- Copy and save the SCIM endpoint that's displayed in the popup.
- Click Show tokencopy the Access tokenclick Close.
- To find the SCIM endpoint and a new token anytime after completing the above steps, go to IAM Identity CenterSettings. In the Identity source tab, click the Actions menu and select Manage provisioning.
- Under Configuration, copy the SCIM endpoint.
- Under Access tokens, click Generate token and copy the new token.
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu AppsWeb and mobile apps.
- Open the Amazon Web Services application.
- (Optional) To limit auto-provisioning to certain users, click User access and select the organizational units or groups that should have access to the Amazon Web Services application. Alternately, if you are using groups (not organization units) to control auto-provisioning, you can do that in step 10 below.
- In the Autoprovisioning section, click Configure autoprovisioning.
- Paste the API access token you copied from Amazon Web Services and click Continue.
- Enter the SCIM endpoint you copied from Amazon Web Services click Continue.
- Verify that all mandatory Amazon Web Services attributes (those marked with an *) are mapped to Google Cloud Directory attributes. If not, click the Down arrow and map to the appropriate attribute.
- Click Continue.
- (Optional) Restrict provisioning to specific groups:
- Enter all or part of a group name in the Search groups field.
- A list of available groups appears. Select a group to add it and open a new search field.
- If necessary, add more groups and choose a scope.
- To remove any group you added, click next to it.
- Click Continue.
- Choose how long deprovisioning actions should be delayed before taking effect. The amount of time before deprovisioning takes effect can be set to: within 24 hours or after one, 7, or 30 days. Select at least one of these options:
- When an app is turned off for the user, suspend their account after [number of days].
- When a user is suspended on Google, suspend their account after [number of days].
- When a user is deleted from Google, suspend their account after [number of days].
- Click Finish.
- In the Auto-provisioning section, click the activation slider.
Note: The activation slider is disabled if Amazon Web Services isn’t turned on for any users. Click User access and turn the app on to enable the slider.
- In the confirmation dialog box, click Turn on.
Once provisioning is on, Google starts collecting usage information. You'll see the usage information in the Auto-provisioning section. There won't be any numbers next to the event names until you enable provisioning.
The following event names provide the usage information for the last 30 days:
- Create User By Auto Provisioning
- Update Auto Provisioned User
- Suspend Auto Provisioned User
- UnSuspend Auto Provisioned User
- Hard Delete Auto Provisioned User
- Failures
For more information, see Monitor automated user provisioning.
You may want to restrict the scope of provisioning to members of groups you define.
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu AppsWeb and mobile apps.
- Open the Amazon Web Services application.
- Click the Auto-provisioning section to open the settings page.
- Under Provisioning scope, click Edit.
- Enter all or part of a group name in the Search groups field. A list of available groups appears.
- Select a group to add it and open a new search field.
- If necessary, add more groups and choose a scope.
- To remove any group you added, click next to it.
If a group has users from a secondary domain or from outside the organization, those users are not provisioned.
- Once you’re done, click Update.
The next time you edit provisioning scope, the groups you added appear in the Provisioning scope window. If you turned on the Amazon Web Services application for a set of organizational units, the provisioning scope is restricted to those users in the added groups who are also members of those organizations.
To disable auto-provisioning for the Amazon Web Services application without losing all the configuration information:
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu AppsWeb and mobile apps.
- Open the Amazon Web Services application.
- Do one of the following:
- In the Auto-provisioning section, click the activation slider.
- Click the Auto-provisioning section to open the settings page, then click StatusTurn off.
- In the confirmation dialog box, click Turn off.
To define how long deprovisioning actions should be delayed before taking effect:
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu AppsWeb and mobile apps.
- Open the Amazon Web Services application.
- Click the Auto-provisioning section to open the settings page.
- Under Deprovisioning, click Edit.
- Choose how long deprovisioning actions should be delayed before taking effect. The amount of time before deprovisioning takes effect can be set to: within 24 hours or after one, 7, or 30 days. Select at least one of these options:
- When an app is turned off for the user, suspend their account after [number of days].
- When a user is suspended on Google, suspend their account after [number of days].
- When a user is deleted from Google, suspend their account after [number of days].
- Click Update to save your edited deprovisioning configuration.
To disable auto-provisioning for the Amazon Web Services application and remove all the configuration information:
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu AppsWeb and mobile apps.
- Open the Amazon Web Services application.
- Click the Auto-provisioning section to open the settings page.
- Under Delete configuration, click Delete.
- Click Delete to both deactivate auto-provisioning and remove all the configuration information.
Existing users on Amazon Web Services will not be deprovisioned.
If the admin password for Amazon Web Services has changed, automatic provisioning will stop working. In this case, the original authorization is revoked by Amazon Web Services, and you must reauthorize automatic provisioning.
- Follow the steps in Get the API access token for the Amazon Web Services application, above, to get a new access token from Amazon Web Services.
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu AppsWeb and mobile apps.
- Click the Amazon Web Services application.
- Click the Auto-provisioning section to open the settings page.
- Under App authorization, click Reauthorize.
- Enter your Amazon Web Services access token, then click Re- authorize.
After reauthorization completes, you're returned to the Auto-provisioning settings page in the Admin console.
Note: Your third-party application might revoke authorization for reasons other than the admin password changing. These reasons can include account inactivity, for example. Check with the documentation for the third-party application for scenarios in which authorization can be revoked.
Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.