Product: SAT
Environment: Google Suite
Summary: Google Workspace Integration - How to connect Google Directories to SAT.
Step 2, Option A: OAuth-Based Integration Method (Current Method)
Step 2, Option B: API Insertion Method (BETA)
Step 3: Map an SAT Group to your Google Directory
Step 1: Create an Integration Provider
First, you will need to create an integration connection with Google.
- Sign in to your Huntress Security Awareness Training (SAT) account and navigate to Integration Providers by clicking “Settings” in the top navigation and then clicking “Providers” in the left navigation.
- Click “+ Add a provider”
- Select the “Connect” link in the Google tile.
- Choose your Permission method
Group Sync Only (OAuth-Based Integration Method) limits permissions and limits the product’s capabilities. This is only recommended when your organization’s policy requires a limited scope. Continue to the setup directions for the OAuth-Based Integration Method.
Full Permissions (API Insertion) allows you to choose between traditional email delivery of messages or API insertion of messages that bypass email filters, transport rules, and allows for additional branding with sender customization for transactional messages. Continue to the setup directions for the API Insertion Method (BETA).
NOTE: This method is currently in BETA.
Regardless of which option you choose, this integration does not give Huntress the ability to read email messages. By setting up the integration, we will deposit messages and automatically mark any domains associated with your Google account as verified.
Step 2, Option A: OAuth-Based Integration Method (Current Method)
- Log in with your Google Admin account.
- Authenticate with your Google account and click “Accept” on the Permissions requested.
Note: If you receive an admin policy enforce error, follow the steps below in Google:
1. Go to Security >API Controls >App Access Control.
2. Click on Configure New App.
3. Select OAuth App Name or Client ID from the dropdown menu.
4. Type Security Awareness Training or Curricula.
5. Click each one until you find the one that has the same Client ID that is showing up in the error message.
Step 2, Option B: Full Permissions Setup Instructions with API Insertion (BETA)
- Navigate to admin.google.com
- In admin console, expand the Security section
- Click Overview
- Select the API controls section
- In the Domain wide delegation section, click the Manage Domain Wide Delegation button.
- Click the Add new button.
- In the Client ID field, enter "116781869770043848400".
- In the OAuth Scopes field, enter "https://www.googleapis.com/auth/gmail.insert".
- Click the Authorize button.
Step 3: Map a SAT group to your Google Directory.
This is a mandatory step to set up a group sync.
- If you aren’t automatically sent to the group setup step after connecting your SAT account to Google, click “+ Connect a group” on the Providers detail page.
- Choose whether you want to connect to an existing SAT group or create a new one. Please note that the ‘Staff’ group is created by default in all SAT accounts, and there is a one-to-one mapping between an SAT group and a Google mapping.
- Configure the group settings
- Optional: Choose whether you want to sync all learners from G Suite, or a dedicated group of learners from your directory.
- We recommend the following settings:
- Enabled:
- “Automatic Daily Sync” - This setting will schedule updates every 24 hours to keep your learner's list up-to-date.
- Attribute Options - Unless there are fields you explicitly want to ignore, we recommend leaving them all enabled.
- Set non-present learners to "Inactive" status - enable - If you ever delete identities in Google Directory without setting them as “Inactive,” this setting will detect that and set learners who no longer appear in Active Directory as “Inactive.”
- Create Departments as needed - This will automatically create Departments in the SAT platform once they are seen as part of the sync
- Disable:
1. Set present learners to "Active" status. - By enabling this setting, Curricula will ignore your resource’s “status” field when syncing users. Any users present in your resource will be set to “Active” status in the Curricula app after the sync is complete, even if they are marked as inactive or suspended in your directory.
- Enabled:
- Click “Preview & Sync” for stats and detailed information about how identities would be impacted under the' Log tab.'
- If everything looks correct, click “Apply Manual Sync.”
- After this initial sync, you can view results or download a CSV sync record under the Log tab.
- By running the manual sync, you have completed the configuration and have saved your changes. You can return to Settings->Integrations-> Provider to add more groups within the sync or modify settings.