Google Workspace
Connects to the Google Workspace Admin SDK to pull your user directory and Chrome OS device inventory into Clariti. This gives you visibility into your Google-managed identities and endpoints alongside your other security assets.
What You'll Need
- Google Workspace super admin account
- A Google Cloud project (free to create)
- About 15 minutes
- A Clariti account with adapter setup permissions
This is the most involved adapter setup because Google requires three separate consoles (Cloud Console, Admin Console, and the service account page). Set aside 15 uninterrupted minutes and keep all three tabs open — it'll go smoother.
Configure in Google Cloud Console
Create a Google Cloud Project
Navigate to: console.cloud.google.com → Project selector → New Project
Go to console.cloud.google.com. Click the project selector dropdown at the top of the page, then click New Project.
- Project name:
Clariti Integration - Organization: Select your organization
- Location: Your organization
Click Create.
Use a descriptive project name like "Clariti Integration" — you'll likely have multiple GCP projects eventually and need to find this one quickly. Avoid generic names like "test" or "api-project."
Why: Google Cloud organizes API access by project. Clariti needs its own project to house the service account and API credentials.
Enable the Admin SDK API
Navigate to: APIs & Services → Library
Make sure your new project is selected in the project dropdown. Then navigate to APIs & Services → Library in the left sidebar.
Search for Admin SDK API and click on it. Click Enable.
This enables the Google Workspace Admin SDK for your project, which provides access to user directory and device data.
Why: Google Cloud APIs are disabled by default. You need to explicitly enable the Admin SDK so your service account can call it.
Create a Service Account
Navigate to: IAM & Admin → Service Accounts → Create Service Account
Navigate to IAM & Admin → Service Accounts in the left sidebar. Click Create Service Account.
- Service account name:
Clariti AI - Service account ID: Auto-generated (will look like
clariti-ai@your-project.iam.gserviceaccount.com)
Click Create and Continue. The next two steps (Grant access, Grant users access) are optional — click Continue then Done to skip them.
Why: A service account is Google's version of an application identity — it lets Clariti authenticate as a non-human entity rather than impersonating a real user.
Create a JSON Key
Navigate to: Service account details → Keys tab
Click on the service account you just created in the list. Go to the Keys tab. Click Add Key → Create new key → select JSON → click Create.
A JSON file downloads automatically. Save it securely — you'll paste its contents into Clariti.
Don't lose this JSON key file. While you can always create a new key, the old one can't be recovered. Store it somewhere secure until you've pasted it into Clariti.
Why: The JSON key file contains the private key that authenticates the service account. This is the credential you'll paste into Clariti.
Copy the Service Account Client ID
Navigate to: Service account details page
Still on the service account details page, find and copy the Unique ID (also called Client ID). This is a long numeric value — not the service account email address.
The numeric Client ID is on the service account details page, in the "Unique ID" field. It's a number like 123456789012345678. Don't confuse it with the service account email address.
Why: The numeric Client ID (different from the email address) is what you'll enter in the Google Admin console for domain-wide delegation.
Configure Domain-Wide Delegation
Open Domain-Wide Delegation Settings
Navigate to: admin.google.com → Security → Access and data control → API controls → Domain-wide delegation
Open a new tab and go to admin.google.com. Navigate to Security → Access and data control → API controls. Scroll down to Domain-wide delegation and click Manage Domain Wide Delegation.
Click Add new.
Domain-wide delegation lets a service account act on behalf of users in your organization — it's Google's equivalent of Microsoft's "Application permissions." Without it, the service account has no access to your Workspace data, even if the Admin SDK API is enabled.
Why: Domain-wide delegation authorizes the service account to access Workspace data on behalf of users in your organization. Without it, the service account exists but can't read any Workspace data.
Authorize the Service Account
Navigate to: Domain-wide delegation → Add new
In the Add new dialog:
- Client ID: Paste the numeric Client ID from Step 5
- OAuth scopes: Paste the following (comma-separated, no spaces between scopes):
https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/admin.directory.device.chromeos.readonly
Click Authorize.
Why: This step maps specific OAuth scopes (data access rights) to your service account, controlling exactly what data Clariti can read.
Copy Your Customer ID
Navigate to: admin.google.com → Account → Account settings
Still in the Admin console, go to Account → Account settings. Find and copy your Customer ID — it starts with "C" followed by numbers.
The Customer ID is NOT your domain name. It's the alphanumeric ID on the Account settings page that starts with "C" followed by numbers (like C03xyz123). Using your domain name (like company.com) will fail with a cryptic error.
The Customer ID is at admin.google.com → Account → Account settings, in the "Customer ID" field. It starts with a "C" followed by numbers.
Why: The Customer ID uniquely identifies your Google Workspace organization. Clariti needs it to know which tenant to query.
Enter Credentials in Clariti
Navigate to Adapters → Add Adapter → Google Workspace and enter your credentials:
| Value from vendor console | Paste into Clariti field |
|---|---|
JSON key file contents | Service Account Key (paste the entire JSON) |
Customer ID | Customer ID |
For the Service Account Key field, open the downloaded JSON file in a text editor, select all the contents, and paste the entire JSON blob into Clariti.
Verify Connection
Click Test Connection. Google Workspace connections typically verify within 15-30 seconds. The first sync pulls your user directory and Chrome OS devices (if any). User data usually appears within a few minutes.
Troubleshooting
401 Unauthorized Domain-wide delegation is not configured or the service account is not authorized. Go back to admin.google.com → Security → API controls → Domain-wide delegation and verify the service account's Client ID is listed with the correct OAuth scopes.
403 Forbidden The OAuth scopes in domain-wide delegation don't match what Clariti is requesting. Verify you pasted both scopes exactly as shown in Step 7, with no extra spaces or missing characters.
"Not Authorized to access this resource/api" Wrong Customer ID. Go to admin.google.com → Account → Account settings and verify you're using the Customer ID (starts with "C"), not your domain name or any other identifier.
"Service account not found" The Client ID entered in domain-wide delegation doesn't match the service account. Go back to the service account details in the Cloud Console, copy the numeric Unique ID again, and update the domain-wide delegation entry in the Admin console.
No data appearing after successful connection If the connection test passes but no users appear, verify that the Admin SDK API is enabled in the Cloud Console (Step 2). Also confirm the service account email has not been blocked in the Admin console's API controls.