furl
Book a Demo Sign In
← Back to Integrations

Google Workspace Integration

Connect Furl to Google Workspace using a service account with domain-wide delegation.

Description

Used as the customer’s user directory. Furl leverages this integration to map users to devices, support user targeting in remediations, and enrich context for accountability.

Configuration Steps

  1. In the Google Cloud Console, create a new service account or use an existing one.
  2. Generate a key in JSON format and save it securely.
  3. Ensure the service account has domain-wide delegation enabled.
  4. In the Admin Console (https://admin.google.com), navigate to:
    1. Security > Access and data control > API Controls > Domain-wide Delegation
  5. Add the Client ID from the service account and authorize required scopes:
    1. https://www.googleapis.com/auth/admin.directory.user.readonly
    2. https://www.googleapis.com/auth/admin.directory.group.readonly
    3. https://www.googleapis.com/auth/admin.directory.group.member.readonly

Required Configuration

Provide the following in Furl:

  • Credentials JSON – Paste the contents of the JSON file
  • Impersonate User – Email address of an admin user with Directory API read permissions (see best practices below)

Best Practice: Use a Dedicated Integration Account

We strongly recommend creating a dedicated, non-human admin account for this integration (e.g., furl-integration@yourdomain.com or integrations-admin@yourdomain.com).

Why this matters: If you use a real employee’s email and that person leaves your organization, the integration will break when their account is deprovisioned. A dedicated service account ensures continuity regardless of personnel changes.

Setup recommendations:

  • Create a dedicated Google Workspace user that is not tied to any individual employee
  • Assign a custom admin role with only the permissions Furl requires (Directory read access), rather than full Super Admin
  • Document ownership of this account with your IT or Security team
  • Do not use this account for interactive logins

Supported Capabilities

Datasources

  • Users → Import user directory information to map users to devices and support user targeting in remediations
  • Groups → Import group memberships to understand organizational structure and support group-based targeting

Actions

Currently no actions are supported for this integration.

Security Considerations

This integration uses read-only scopes and cannot modify your directory data. Domain-wide delegation allows a service account to access data on behalf of users in your domain. For additional security guidance, refer to Google’s domain-wide delegation best practices.

Troubleshooting

  • Ensure the service account has domain-wide delegation enabled
  • Verify all required scopes are authorized in the Admin Console
  • Confirm the impersonate user account is active and has the required admin permissions
  • If the integration stops working after an employee departure, update the impersonate user to an active admin account (ideally a dedicated integration account)
  • Check that the JSON credentials file is properly formatted

Back to Integrations

Documentation Home