• Log in to the Google Admin console, and go to IAM and admin > Create a project. 

• Enter Project name, assign this project to an organisation and click CREATE. 

• After that, you will be directed to the main dashboard of your project.

• From the main dashboard of your project, go to APIs and services > Credentials. 

• Click Configure consent screen.

• You're now on the OAuth overview dashboard. Click the blue Get started button in the middle.

• You're now on the App Information step of the OAuth consent screen configuration. Enter a name that clearly identifies the app, and select the email users should contact for any OAuth-related queries.

• You're now on the Audience step of the OAuth consent screen setup. Select Internal. 

• Enter a valid developer contact email so Google can reach you for alerts or app-related issues. Tick the checkbox to agree to the Google API services user data policy and click Create to complete the OAuth consent screen setup.

• On the OAuth overview screen, click the Create OAuth client button to begin setting up your OAuth 2.0 credentials for the app. 

• On the Create OAuth client ID screen, select Web application as the Application type, and enter a name (e.g., PureDome OIDC Integration) 

• Scroll down to the Authorised redirect URIs section, enter the following callback URL and then click the Create button to generate your OAuth client ID. 

https://login.puredome.com/oauth2/callback

• Copy the Client ID and Client secret values for later use.

• Copy the following URL (to be used as issuer URL for later use):

https://accounts.google.com 

• From Google Admin console, go to Directory > Organizational units. 

• Click Create organizational unit. 

• Enter a Name of organizational unit and click CREATE. 

• The organization name just created will be visible under all Organizational units under your Google Admin workspace. Now, we need to assign internal users to this organizational unit. 

• Go to Directory > Users, and search the name of the user you intend to assign to your organizational unit.

• On the user's interface, click CHANGE ORGANIZATIONAL UNIT. 

• Select the organizational unit we created in previous steps, and click CONTINUE. 

• From Google Admin console, go to security > Access and data control > API controls > MANAGE APP ACCESS. 

• Click Configure new app.

• Enter the client ID previously copied, and click SEARCH. 

• The OAuth app associated with the entered client ID, which we generated earlier, should be visible. Click Include organizations. 

• Search for the organizational unit to which we earlier assigned the team members and click SELECT. 

• After selecting the organizational unit, click Continue.

• Select what type of access this app should have to Google data for users in the selected organizational unit, and click Continue. 

• The integration of the app is now completed and ready for use with PureDome.

• Head over to the PureDome console on your browser, navigate to Integrations and Single Sign-On. By choosing Google you will be asked to enter four values as follows:

IDP Name: Any name you want

Client ID: Value copied from Google Admin dashboard

IDP Client Secret: Value copied from Google Admin dashboard

Issuer URL: Created in step 3. 

• After completing all the steps above, you have successfully set up an OIDC application on your Google Admin workspace with SSO enabled for PureDome. 

• Log in to the Google Admin console, and go to API & Services > Library.

• From the Library section, open the Google Workspace Admin SDK API. (If it is not enabled, you will need to enable it first for your workspace)

• From the Admin SDK API page, click on Manage.

• From the Admin SDK API page, click on Credentials. 

• On the credentials page, click Create credentials and then select OAuth client ID.

• On the Create OAuth client ID screen, select Web application as the Application type, and enter a name

• Copy Client ID and Client secret for later use. 

• Once the OAuth application has been created, we need to create a service account. From the credentials screen, click Manage service accounts.

• From the service account screen, click Create service account.

• Enter a service account name and ID, then click Create and continue.

• Once the service account has been created, click on the newly created service account.

• From the service account screen, click Key, then click Add key, and select Create new key.

• You will be asked to select a key type. Select JSON.

• A JSON file will be downloaded to your computer. Save it for later use. Next, from the service account screen, open the Details tab, copy the Client ID, and save it for later use.

• Next, go back to the Google Admin cloud console, and go to Security > Access and data control > API controls.

• From the API controls screen, click Manage Domain Wide Delegation.

• Click Add new, and a popup will open asking you to enter the Client ID and OAuth scopes.

• For the Client ID, enter the Client ID you copied from the service account screen. Under OAuth scopes, enter the following parameters one by one:

https://www.googleapis.com/auth/admin.directory.user
https://www.googleapis.com/auth/admin.directory.group
https://www.googleapis.com/auth/admin.directory.group.member

• The SCIM integration on Google Console has been completed. Next, please share the following details with the PureDome Customer Support team in one message:
  • The JSON file you downloaded earlier
  • The email ID associated with your Google Workspace account
  • The SCIM Base URL (generated from PureDome console after enabling SCIM)
  • The OAuth Bearer Token (also generated after enabling SCIM)
• To obtain the SCIM Base URL and OAuth Bearer Token, go to the PureDome console, enable SCIM, and copy the generated values. Then contact the support team, and they will guide you on the secure method to share these details. Once received, our team will complete the remaining steps for SCIM integration from our side.