Google Workspace Enterprise Authentication Tied to One User

Problem statement

We recently had an employee leave whose credentials were somehow tied to the Google Workspace Enterprise Authentication SSO that we have configured. When we removed that user, it stopped all authentication from being able to occur until we had another person who had administrative permissions on the Google Workspace re-grant Auth0’s permissions via the URL in the Setup Tab of the SSO setup.

We would like to understand how the permissions between the Google Workspace Enterprise Authentication SSO configuration are tied to Google Workspaces better so that we can prevent a similar outage from occurring in the future. It seems like the permissions are somehow tied to the administrator who granted the permissions. We would like to know how we could set up the SSO configuration so that it’s not tied to a specific employee’s user account as well as any details you would be able to provide on how the integration is tied specifically to the administrator who granted the permissions.

Symptoms

  • Google Workspace Enterprise connection ceases to allow logins after Workspace admin is deleted.

Cause

  • The extended attributes require calling the Google Directory API with an Admin’s access token, not the client’s.

  • If the admin that sets up the connection is deleted, these tokens will be rejected by Google as they are no longer associated with a valid account.

Solution

The New Google Workspace admin needs to use the link found on the Setup Tab for the relevant Google Workspace Enterprise connection, to reauthorize the application for API access.