Skip to content
Claresia Docs

Google Workspace SSO + SCIM

For tenants using Google Workspace as their primary IdP. Total time: 10 minutes.

Part 1 — SAML SSO

Section titled “Part 1 — SAML SSO”

  1. In Claresia Onboarding Portal, click Configure SSO (Step 4). Choose the Google Workspace tab. Copy the ACS URL + Audience URI.

  2. In Google Admin Console (admin.google.com), go to Apps → Web and mobile apps → Add app → Add custom SAML app.

    • App name: Claresia
    • App icon: upload from docs.claresia.com/brand/claresia-mark.svg

  3. On the Google Identity Provider details page, download the IdP metadata (XML). Keep handy.

  4. Service provider details:

    • ACS URL: paste from portal
    • Entity ID: paste Audience URI from portal
    • Name ID format: EMAIL
    • Name ID: Basic Information > Primary email

  5. Attribute mapping:

    Google Directory attributeApp attribute
    Primary emailemail
    First namefirstName
    Last namelastName
    Department (optional)department

  6. Group membership (Optional but recommended):

    • Add a group filter: claresia-* → mapped to groups attribute.

  7. Click Finish. On the next page, enable the app for your Org Unit (or for everyone).

  8. Back in Claresia Onboarding Portal, upload the IdP metadata XML you downloaded in Step 3 → click Test login → authenticate as a Google Workspace user → green check.

Part 2 — SCIM provisioning (via Google Cloud Identity)

Section titled “Part 2 — SCIM provisioning (via Google Cloud Identity)”

Google Workspace uses Google Cloud Identity for SCIM. Premium edition (or Cloud Identity Premium) is required for SCIM endpoints.

  1. In Claresia Onboarding Portal, copy the SCIM endpoint URL + bearer.

  2. In Google Admin Console, open Apps → Web and mobile apps → Claresia → Auto-provisioning → Configure.

  3. Authorization Method: Bearer Token → paste the bearer.

  4. Endpoint URL: paste the SCIM endpoint URL.

  5. Verify connection — should return success.

  6. Attribute mapping:

    • Primary emailuserName
    • First namename.givenName
    • Last namename.familyName
    • Add Groupsgroups

  7. Provisioning scope: choose the Org Units to provision (your claresia-* groups + claresia-users).

  8. Activate. Initial sync runs within 5 minutes.

  9. Back in portal, click Sync now to force an immediate pull. User counts should update within 60 seconds.

Part 3 — Group → role mapping

Section titled “Part 3 — Group → role mapping”
Google groupClaresia role
claresia-admins@yourcompany.comtenant_admin
claresia-auditors@yourcompany.comauditor
claresia-users@yourcompany.commember

Group emails must be created in Google Groups first (groups.google.com/a/yourcompany.com).

De-provisioning behavior

Section titled “De-provisioning behavior”

When a user is suspended in Google Admin (or removed from all claresia-* groups), Google Cloud Identity sends a SCIM PATCH within 5 minutes (forcible sync via Claresia portal cuts this to <60s). Claresia revokes the JWT and removes skill entitlements immediately.

Common gotchas

Section titled “Common gotchas”
SymptomCauseFix
SCIM “Provisioning is paused”Token expired or rotatedRe-generate from portal, re-enable in Google Admin
Users provisioned but no groupsGroup scope not enabledAdd Groups to SCIM scope in Step 6
Test login returns “Email not provisioned”User not in any claresia-* groupAdd them, wait 5 min, retry

Reference

Section titled “Reference”