Google AD and Single Sign-On

To integrate your Google Workspace with CyberPilot for automated user management and secure Single Sign-On (SSO), you’ll need to set up a few things in the Google Cloud Console

This guide will walk you through the entire setup – from creating a service account to configuring the necessary APIs and OAuth credentials.

By completing these steps, you’ll enable CyberPilot to securely sync user and group data from your Google Workspace environment and allow users to log in to the CyberPilot platform using their Google accounts.

Let’s get started 👇

Part 1: Generate Google Config

To integrate Google Workspace with CyberPilot, you'll need to create a service account in Google Cloud Console. This enables CyberPilot to securely manage users and groups via API.

1. Create a project in Google Cloud Console

1. Go to: https://console.cloud.google.com/

2. Click the project dropdown and select "New Project"

3. Name it (e.g., CyberPilot) and click Create

2. Enable Admin SDK API

1. In your new project, go to APIs & Services > Library

2. Search for Admin SDK

3. Click it, then click Enable

3. Create a Service Account

1. Navigate to IAM & Admin > Service Accounts

2. Click Create Service Account

3. Name it, then click Create and Continue

4. Grant the role: Service Account Token Creator

5. Click Done

4. Generate a Private Key

1. Click on the service account you just created

2. Go to the Keys tab

3. Click Add Key > Create New Key

4. Choose JSON format

This will download a .json file containing:

• client_id
• client_email
• private_key

5. Delegate Domain-Wide Authority

1. Under the service account settings, go to the Details tab

2. Click "Show Domain-Wide Delegation" and enable it

3. Note the Client ID – you’ll need it in the next step

6. Authorize API Access in Google Admin Console

1. Go to: https://admin.google.com (requires super admin)

2. Navigate to: Security > Access and data control > API Controls > Domain-wide Delegation

3. Click "Add new"

4. Enter the Client ID from your service account

5. Add the following scopes:

   1. _{DIRECTORY_USER_READONLY = 'https://www.googleapis.com/auth/admin.directory.user.readonly',}
   2. _{DIRECTORY_GROUPS_READONLY = 'https://www.googleapis.com/auth/admin.directory.group.readonly',}
   3. _{DIRECTORY_GROUP_MEMBERS_READONLY = 'https://www.googleapis.com/auth/admin.directory.group.member.readonly'}

1. Click Save

7. Add Credentials to CyberPilot

Use the .json file you downloaded in Step 4.
Note that the private key from the json file looks like

"private_key": "-----BEGIN PRIVATE KEY-----\nMIIEv….

you need to insert only

-----BEGIN PRIVATE KEY-----MIIEv without the \n

Part 2: Configure Google as SSO

This section enables users to log in to CyberPilot using their Google accounts via SSO.

1. Open Google Cloud Console Credentials

1. Go to: https://console.cloud.google.com/apis/credentials

2. Select the same project you created earlier

2. Enable Required APIs

Navigate to APIs & Services > Library, then enable the following:

• Google+ API (sometimes needed for user profile info)

• OAuth2 APIs

• Admin SDK (if needed for directory access)

3. Create OAuth 2.0 Credentials

1. Go to APIs & Services > Credentials

2. Click + Create Credentials > OAuth 2.0 Client ID

3. Select Web application

4. Give it a name (e.g., CyberPilot SSO)

4. Set Redirect URIs

1. Under Authorized redirect URIs, add the URI your app will handle after login.
   Example format:
   https://login.app.cyberpilot.io/realms/*subdomain*/broker/google-sso/endpoint

2. Save and copy credentials. Add to CyberPilot

Do you need further assistance?

You can always contact your Customer Success Manager or write to us on support@cyberpilot.io