Sync with Google Workspace
This article will help you get started using Directory Connector to sync users and groups from your Google Workspace (formerly "G Suite") Directory to your Bitwarden organization.
To setup directory sync with Google Workspace (formerly "G Suite"), you will need access to the Google Workspace Admin Portal and Google Cloud Platform Console. Directory Connector will require information obtained from these processes to function properly.
Complete the following steps to create a Google Cloud project to use to connect Directory Connector to your directory. If you already have a Google Cloud project available, skip to Enable Admin SDK:
In the GCP Console, select the Create Project button.
Enter a Bitwarden-specific name for the project (for example,
bitwarden-dc-project) and select the Create button.
Complete the following steps to enable the Admin SDK API, to which Directory Connector will make requests:
In the GCP Console, select the created or pre-existing project.
From the left-hand navigation, select APIs & Services → Library.
In the search box, enter
Admin SDKand open the Admin SDK API service.Select the Enable button.
Complete the following steps to create a service account to use when making API calls:
In the GCP Console, select the created or pre-existing project.
From the left-hand navigation, select APIs & Services → Credentials.
Select the Create Credentials button, and select Service account from the dropdown.
Fill in the Service account details section, and select the Create button.
In the Grant this service account access to project section, select Project → Owner from the Role dropdown and select the Continue button.
Select the Done button.
Complete the following steps to obtain the appropriate permissions for the created service account:
In the GCP Console, select the created or pre-existing project.
From the left-hand navigation, select IAM & Admin → Service Accounts.
Select the created service account.
On the Service Account Details page, select the Add Key button and select Create new key from the dropdown.
Select the Key type JSON and select the Create button to download a JSON-formatted key to your local machine.
Back on the details tab of your service account, select the Advanced settings drop-down.
Enter a Product name for the consent screen.
Select the Configure link in the text box with the text “An OAuth consent screen must be configured in order to create an OAuth client".
Choose a User Type of Internal and select Create.
Give your app a name, like “Bitwarden Directory Connector,” and at a minimum supply a User Support and Developer Contact email address. Select Save and Continue.
Select Add or remote scopes, and in the Manually add scopes section, paste the following:
Bashhttps://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/admin.directory.group.readonly,https://www.googleapis.com/auth/admin.directory.group.member.readonlySelect Add to table and then Update.
Click Save, Continue, and finally Back to Dashboard.
Complete the following steps to authorize the client to read your directory:
Open the Google Admin Portal.
From the left-hand navigation, select Security → API Controls.
Select the Manage Domain Wide Delegation button.
Select the Add new button.
In the Client ID field, paste the created Client ID.
To retrieve the created Client ID, open the GCP Console and navigate to API & Services → Credentials.
In the OAuth scopes field, paste the following value to grant only read-access:
Bashhttps://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/admin.directory.group.readonly,https://www.googleapis.com/auth/admin.directory.group.member.readonlySelect the Authorize button.
Complete the following steps to configure Directory Connector to use your Google directory:
Open the Directory Connector desktop app.
Navigate to the Settings tab.
From the Type dropdown, select G Suite (Google).
The available fields in this section will change according to your selected type.
Enter the Domain of your Google account.
Enter the email address of an Admin User with full access to your Google directory.
If you have one, enter the Customer ID of your directory. Many users will not have or be required to enter a Customer ID.
Select the Choose File button and select the downloaded JSON key.
tip
When you're finished configuring, navigate to the More tab and select the Clear Sync Cache button to prevent potential conflicts with prior sync operations. For more information, see Clear Sync Cache.
Complete the following steps to configure the setting used when syncing using Directory Connector:
Open the Directory Connector desktop app.
Navigate to the Settings tab.
In the Sync section, confiture the following options as desired:
Option | Description |
|---|---|
Interval | Time between automatic sync checks (in minutes). |
Remove disabled users during sync | Check this box to remove users from the Bitwarden organization that have been disabled in your directory. |
Overwrite existing organization users based on current sync settings | Check this box to always perform a full sync and remove any users from the Bitwarden organization if they are not in the synced user set. |
More than 2000 users or groups are expected to sync | Check this box if you expect to sync 2000+ users or groups. If you don't check this box, Directory Connector will limit a sync at 2000 users or groups. |
Sync users | Check this box to sync users to your organization. |
User Filter | See Specify sync filters. |
Sync groups | Check this box to sync groups to your organization. |
Group Filter | See Specify sync filters. |
Use comma-separated lists to include or exclude from a sync based on user email or group.
The Admin SDK API provides limited filtering capabilities for users and groups with a query parameter. To learn more:
User filters
The following filtering syntaxes should be used in the User Filter field:
Include/Exclude users by email
To include or exclude specific users from a sync based on email address:
Bashinclude:joe@example.com,bill@example.com,tom@example.com
Bashexclude:joe@example.com,bill@example,tom@example.com
Concatenate with query
To concatenate a user filter with the query parameter, use a pipe (|):
Bashinclude:john@example.com,bill@example.com|orgName=Engineering orgTitle:Manager
Bashexclude:john@example.com,bill@example.com|orgName=Engineering orgTitle:Manager
Use only query
To use only the query parameter, prefix the query with a pipe (|):
Bash|orgName=Engineering orgTitle:Manager
Group filters
note
Syncing nested groups is not supported by Google Workspace.
The following filtering syntaxes should be used in the Group Filter field:
Include/Exclude groups
To include or exclude groups from a sync based on Group Name:
Bashinclude:Group A,Group B
Bashexclude:Group A,Group B
Include groups with wildcard
Bash|name:*marketing*
Wildcards * are supported on both sides of the search parameter. Additionally, the search is not case sensitive.
Concatenate with query
To concatenate a group filter with the query parameter, use a pipe (|):
Bashinclude:name='Engineering'|email:admin*Bashexclude:name='Engineering'|email:admin*Use only query
To use only the query parameter, prefix the query with a pipe (|):
Bash|memberKey=user@company.com
tip
Before testing or executing a sync, check that Directory Connector is connected to the right cloud server (e.g. US or EU) or self-hosted server. Learn how to do so with the desktop app or CLI.
To test whether Directory Connector will successfully connect to your directory and return the desired users and groups, navigate to the Dashboard tab and select the Test Now button. If successful, users and groups will be printed to the Directory Connector window according to the specified sync options and filters:
Once sync options and filters are configured and tested, you can begin syncing. Complete the following steps to start automatic syncing with Directory Connector:
Open the Directory Connector desktop app.
Navigate to the Dashboard tab.
In the Sync section, select the Start sync button.
You may alternatively select the Sync now button to execute a one-time manual sync.
Directory Connector will begin polling your directory based on the configured sync options and filters.
If you exit or close the application, automatic sync will stop. To keep Directory Connector running in the background, minimize the application or hide it to the system tray.
note
If you're on the Teams Starter plan, you are limited to 10 members. Directory Connector will display an error and stop syncing if you try to sync more than 10 members.
This plan is no longer available for purchase. This error does not apply to Teams plans.
Suggest changes to this page
How can we improve this page for you?
For technical, billing, and product questions, please contact support