How to fetch Groups for G Suite Users?

BenjaminSimonsson · June 3, 2020, 1:01pm

Hi!

I’m currently testing out Auth0 with a G Suite Enterprise Connection against our testing G Suite domain. I’ve also added an SSO application with OpenID in one of our applications for testing the login itself.

While the Enterprise Connection itself works I’ve been unable to set it up so that a Users’ groups are included in OpenID data.

From previous topics in this community, it appears that some kind of Google Admin scopes needs to be set for the Google Consent Screen page, but it’s unclear exactly which scopes these are:

At most, it just says

the Google Admin scopes have to be added on the consent screen stage

without going into any further detail exactly which scopes these are.

Just like the person in the above second link I’ve tested with the following two scopes enabled in Google’s console, but without any changes in the OpenID response:

https://www.googleapis.com/auth/admin.reports.audit.readonly
https://www.googleapis.com/auth/admin.reports.usage.readonly

I’ve already enabled Groups as an Extended Attribute in the Auth0 Connection’s configuration page, so nothing more should have to be done from the Auth0 end.

Does anyone know which scopes need to be set so that Auth0 can fetch User’s groups from G Suite?

sidharth.chaudhary · August 7, 2020, 4:55am

Hey @BenjaminSimonsson, Posting here as well for more visibility:

Series of steps which worked for me, please execute them in order below:

Gsuite Account:

Configure the Gsuite account, I configured my self as the domain administrator for the gsuite account.
In the developer console register the application to be used with the Gsuite connection.
For Groups information you will need to enable the Google Admin SDK API in the developer console for the application.

I think you are familiar with all the steps above.

Next on Auth0 Tenant:

Create a Gsuite enterprise connection.
Enter the fields with domain, client Id and secret obtained from developer console of google, select Groups from Extended attributes, Create the connection , once connection is created there is a setup tab which will come up in the connection, have attached a screen shot for reference.

This is the important part, in the setup tab, if you are the domain administrator click continue
Once you click continue, it will take your to domain administrator login page for google Gsuite account.

Once you login, it will ask for the view groups authorisation, have attached the screen shot, Once domain admin will allow it, authorisation will be successful

Once the authorisation is successful you can enable the Gsuite login in your app, and should be able to see groups property in User profile after a new login attempt.

system · August 22, 2020, 5:01am

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Getting groups for Google Enterprise connection - which scopes do I add? Help google , enterprise	1	4565	December 17, 2019
No Groups information for Enterprise Google connection? Help google-apps	10	7201	April 11, 2019
App_metadata not being fetched from google-apps? Help app_metadata	5	4089	March 13, 2019
How to map users' roles or groups from Google for use in Auth0? Help user-profile , user-management	5	450	May 16, 2024
Specifying use of enterprise connection over social connection at application level Help connections , oidc-enterprise-connection	0	1203	June 27, 2023

How to fetch Groups for G Suite Users?

Related Topics