Google Workspace Configuration
Twingate integrates with Google Workspace in order to synchronize user accounts, delegate user authentication to Google, and optionally enable group synchronization.
User and group synchronization are performed using the Google Workspace Directory API, authorized via OAuth. In order to enable synchronization, an admin must authorize Twingate to access user and group information for your Google Workspace domain. This connection is initiated from the Identity Provider subsection of Settings in the Twingate Admin Console.
Google Workspace API permissions
Twingate requires the permission to read Google Workspace groups to function, even if you do not choose to enable Twingate Group synchronization. (Group synchronization is disabled by default.)
Twingate delegates user authentication to Google. The user’s email address must match the Google Workspace domain or domains you have configured for access to be authorized. Users without an address matching your configured domain or domains will not be able to authenticate and use Twingate.
This domain restriction also applies to admin users of the Twingate Admin Console. Additional admin users can be set within the Twingate Admin Console.
Twingate supports multiple domains configured as part of the same Google Workspace account. You may add additional domains by going to Settings > Identity Provider and selecting ”+ Add Domain” in the Google Workspace settings.
You will only be able to add domains that have already been configured and authorized in Google Workspace. See the Google Workspace documentation for more information.
Google Workspace sync with Twingate
The Google Workspace Directory API does not currently provide capabilities for real-time sync for groups and OUs. Only user changes are updated in real-time, received via webhook updates. The current polling period for groups and OUs is 1 hour, which is the maximum time period for group and OU changes to be reflected in Twingate.
Only users that are active in your Google Workspace domain will be able to sign in to your Twingate Network. Inactive users will also be synced, but will be marked as inactive in Twingate and unable to sign in. Once synced, users can be given access to Twingate Resources based on Group membership.
User billing in Twingate
Twingate does not automatically charge for all users synced between your Google Workspace domain and Twingate. See our suscription management FAQ for more information.
By default, Google Workspace group sync is disabled within the Twingate admin console. If you would like Twingate to sync groups, edit the Identity Provider sync settings via the
... action menu.
If Group Sync is disabled at a later time, all groups that have access to a resource will be converted into a Twingate group. Groups that do not have access to any resources will be removed.
Organizational Unit Sync
By default, Google Workspace Organizational Unit (OU) sync is disabled within the Twingate admin console. If you would like Twingate to sync OUs, edit the Identity Provider sync settings via the
... action menu.
If Organizational Unit Sync is disabled at a later time, all OUs that have access to a resource will be converted into a Twingate group. OUs that do not have access to any resources will be removed.
User and group synchronization is performed via the Google Workspace API. In order to enable synchronization, an admin must authorize Twingate to access user and groups information for your Google Workspace domain. This is done from the Identity Provider subsection section of Settings in the Twingate Admin Console.
Minimum admin permissions
The user authorizing user sync must have one of the following admin roles in G Suite:
- A Super Admin
- A Groups Admin
- A User Management Admin
- A Help Desk Admin
- A custom admin role with at least a “Users: Read” and “Groups: Read” permissions under the Admin API.
(More information on Google Workspace administrator roles can be found in Google’s Help Center.)
API access control
If attempts to authorize Twingate access to your Google Workspace account fail with an authorization error, you likely have restricted access to third party applications. You can verify this in the Security > API Controls > Manage Google Services section of your Google Workspace admin console, by checking if Google Workspace Admin is listed as a Restricted.
In order to complete the process of connecting Twingate to Google Workspace, there are two options:
- Change Google Workspace Admin to Unrestricted
- In Security > API Controls > Manage Third-Party App Access, find Twingate and click Change access. Select Trusted: Can access all Google services and click Change.
Twingate only syncs the information that is necessary to provide our service:
- User first and last names
- User email addresses
- User avatars
- Group membership (if Group Sync is enabled)
Last updated 8 hours ago