Skip to main content

Overview

This guide walks you through configuring Google Workspace as your identity provider for Bifrost Enterprise. The integration has two pieces:
  1. OAuth 2.0 login — users sign in to Bifrost with their Google Workspace accounts via a Google OAuth Client ID.
  2. Directory API provisioning (optional) — a Google service account with domain-wide delegation lets Bifrost list users and groups from the Workspace directory for bulk import and team sync.
You can run login-only (no service account) or full provisioning (with service account + domain-wide delegation).

Prerequisites

  • A Google Workspace domain with Super Admin access to the Admin console
  • A Google Cloud project where you can create OAuth clients and service accounts
  • Bifrost Enterprise deployed and accessible
  • The redirect URI for your Bifrost instance (e.g. https://your-bifrost-domain.com/login)
  • Bifrost roles created for the roles you plan to map
  1. In the Google Cloud Console, go to APIs & Services → OAuth consent screen.
Google OAuth consent screen configuration
  1. Choose Internal if you only want Workspace users, or External otherwise.
  2. Fill in App name, support email, and developer contact.
  3. Add the scopes: openid, profile, email.
  4. Save.

Step 2: Create an OAuth Client ID

  1. Open APIs & Services → Credentials → Create credentials → OAuth client ID.
Creating a Google OAuth Web Application Client ID
  1. Configure:
FieldValue
Application typeWeb application
NameBifrost Enterprise
Authorized JavaScript originshttps://your-bifrost-domain.com
Authorized redirect URIshttps://your-bifrost-domain.com/login
  1. Save and copy the Client ID and Client Secret.

Step 3: (Optional) Create a service account for Directory API access

Skip this section if you only want SSO login without directory-based user import.
  1. Go to IAM & Admin → Service Accounts → Create service account.
Creating a Google service account
  1. Give it a name (e.g. bifrost-provisioning). You can skip the “Grant this service account access to project” step — no GCP IAM roles are required; access is granted via domain-wide delegation in Step 5.
  2. Open the service account → Keys → Add Key → Create new key → JSON. Download and store the JSON file securely.
  3. From the service account Details tab, copy the Unique ID (a numeric value, not the email or OAuth Client ID).

Step 4: Enable the Admin SDK API

If you’re using the service account path:
  1. Open APIs & Services → Library.
  2. Search for Admin SDK API and click Enable.

Step 5: Set up domain-wide delegation

  1. In the Google Admin Console, go to Security → Access and data control → API controls → Manage Domain Wide Delegation.
Google Workspace Domain-Wide Delegation configuration
  1. Click Add new.
  2. Enter the service account’s Unique ID (from Step 3).
  3. Add these OAuth scopes (copy the full URLs, comma-separated):
https://www.googleapis.com/auth/admin.directory.user.readonly,
https://www.googleapis.com/auth/admin.directory.group.readonly,
https://www.googleapis.com/auth/admin.directory.group.member.readonly
  1. Authorize.
Domain-wide delegation requires impersonating an admin user. Pick an admin email that will persist (e.g. a dedicated [email protected]) — Bifrost uses this as the Admin Email in configuration.

Step 6: Configure Bifrost

Using the Bifrost dashboard

  1. In Bifrost, go to Governance → User Provisioning.
  2. Select Google Workspace as the SCIM Provider.
  3. Fill in the fields:
FieldValue
DomainYour Google Workspace primary domain (e.g. company.com)
Client IDOAuth Client ID from Step 2
Client SecretOAuth Client Secret from Step 2
AudienceOptional override (defaults to Client ID)
Admin EmailAdmin user to impersonate for Directory API (Step 5)
Service Account SourceChoose one: Paste JSON / Environment variable / File path
Service Account JSON / Env Var / FileThe value for the chosen source
Bifrost Google Workspace configuration form
  1. Click Verify — Bifrost validates the OAuth client and, if a service account is provided, attempts a Directory API impersonation to confirm delegation is working.
  2. Configure Attribute → Role / Team / Business Unit mappings to map groups or organizational units to Bifrost roles and teams.
  3. Toggle Enabled and click Save Configuration.

Using config.json

{
  "scim_config": {
    "enabled": true,
    "provider": "google",
    "config": {
      "domain": "company.com",
      "clientId": "123-abc.apps.googleusercontent.com",
      "clientSecret": "${GOOGLE_WORKSPACE_CLIENT_SECRET}",
      "adminEmail": "[email protected]",
      "serviceAccountEnvVar": "GOOGLE_SA_JSON",
      "teamIdsField": "groups"
    }
  }
}
Pick one of the three service-account sources: serviceAccountJson (raw JSON string), serviceAccountEnvVar (env var name holding the JSON), or serviceAccountFile (absolute path to the key file).

Custom attribute mapping

You can also map any custom attributes to any entity (role, team or business unit). Make sure these are configured to send back to Bifrost in token configuration.
Attribute Mappings configuration in Bifrost

Configuration reference

FieldRequiredDescription
domainYesGoogle Workspace primary domain (e.g. company.com).
clientIdYesOAuth 2.0 Web Client ID from Step 2.
clientSecretYesClient Secret — required for token revocation and for confidential server-side flows.
audienceNoExpected JWT audience. Defaults to clientId.
adminEmailYesWorkspace admin to impersonate via domain-wide delegation. Required when any service-account field is set.
serviceAccountJsonOne of 3Raw JSON string of the service account key.
serviceAccountEnvVarOne of 3Name of the environment variable containing the JSON.
serviceAccountFileOne of 3Absolute path to the JSON key file on the Bifrost host.
attributeRoleMappingsYesOrdered list of attribute→role mappings.
attributeTeamMappingsNoAttribute→team mappings (all matches apply).
attributeBusinessUnitMappingsNoAttribute→business-unit mappings (all matches apply).
Bifrost rejects configs that set a service-account credential source without adminEmail — domain-wide delegation cannot work without an impersonation subject.

Testing the Integration

  1. Open the Bifrost dashboard in an incognito window.
  2. You’re redirected to accounts.google.com; sign in with a Workspace user.
  3. Verify you land on the Bifrost dashboard and appear under Governance → Users.
  4. If provisioning is configured, open Governance → User Provisioning → Import Users, filter by a Workspace group, click Preview, and confirm users show up.

Troubleshooting

admin_policy_enforced or access_denied during OAuth

  • The Workspace admin has blocked third-party OAuth apps. In the Admin Console, go to Security → Access and data control → API controls and allow the Bifrost OAuth client.

unauthorized_client: Client is unauthorized to retrieve access tokens

  • The service account Unique ID and scopes in Domain-Wide Delegation don’t match. Re-enter the Unique ID (the numeric value from the service account’s Details tab, not the OAuth client ID).

Not Authorized to access this resource/api from Directory API

  • The impersonated adminEmail is missing the User Management Admin role. Promote them in Admin Console → Admin roles.
  • The Admin SDK API is not enabled on the Cloud project.
  • On the OAuth consent screen, ensure the app is Published (or Internal for Workspace-only apps) so it doesn’t stay in testing mode.

domain_mismatch

  • The primary domain in the Workspace does not match the domain field. Use the primary domain, not an alias.

Next Steps