Google Workspace Provisioning

Once Google Workspace is connected to TheStorage, your directory drives the user list. New hires appear in TheStorage shortly after they land in the chosen organisational unit, profile updates flow through on the next sync, and offboarded employees are deactivated without anyone clicking a button.

The integration runs over SCIM 2.0. Google Workspace exposes the SCIM endpoint through the Auto-provisioning feature on custom apps, so this guide first creates a stub custom app, then layers provisioning on top. Plan on about 15 minutes for the full walkthrough.

Requirements

• A Super Admin account in your Google Workspace tenant.
• A TheStorage user with the Administrator role (needed to enable SCIM and copy the bearer token).
• A Google Workspace edition that includes automated user provisioning (currently Business Plus, Enterprise, Education Standard, or higher).

Step 1: Enable SCIM in TheStorage

1. Sign in to TheStorage and open Settings > User Provisioning.

2. Toggle SCIM provisioning on. A dialog appears with a one-time bearer token.

3. Click Copy and stash the token somewhere safe — a password manager, or paste it straight into Step 12 below. TheStorage only keeps a hash, so once the dialog closes the raw value is gone for good. The only way to recover it is to regenerate, which invalidates the previous one.

4. Copy the Tenant endpoint URL shown below the token. It looks like:

   https://service.thestorage.app/api/<your-tenant>/scim/v2

   Keep both values to hand for Step 11.

Step 2: Create a Custom App in Google Admin

5. Sign in to admin.google.com with your Super Admin account.

6. Navigate to Apps > Web and mobile apps.

7. Click Add app > Add custom SAML app.

   Why a SAML app?

   Google requires a SAML app as the host for SCIM auto-provisioning, even when you don't plan to use single sign-on. The SAML fields you fill in below are just placeholders so Google lets you save — TheStorage never reads them, and you can ignore the SAML certificate Google offers.

8. Enter TheStorage SCIM Provisioning as the App name and click Continue.

9. On the Google Identity Provider details page, click Continue without changing anything — these values are only used if you also enable SSO.

10. On the Service provider details page, fill in placeholder values so Google lets you save:

    Field	Value
    ACS URL	https://service.thestorage.app/
    Entity ID	thestorage
    Name ID format	EMAIL
    Name ID	Basic Information > Primary email

    Click Continue, skip the optional attribute mapping page, and click Finish.

Step 3: Activate Auto-Provisioning

11. Back on the Web and mobile apps list, open the TheStorage SCIM Provisioning app you just created and click Auto-provisioning > Configure auto-provisioning.

12. Paste the credentials saved in Step 1:

    Field	Value
    API endpoint	The endpoint URL from Step 4
    Access token	The bearer token from Step 3

13. Click Continue. Google fires a test request at the endpoint, and a green Connection successful banner confirms TheStorage accepted the token. If the test fails, the usual suspects are a trailing slash on the endpoint URL, the wrong tenant slug, or a stale token — re-paste a fresh copy and try again.

Step 4: Map Attributes

14. Google pre-fills sensible defaults for the standard SCIM attributes. Confirm at least the following map onto TheStorage's expected fields:

    Google attribute	SCIM attribute
    Primary email	userName
    Primary email	emails[type eq "work"].value
    First name	name.givenName
    Last name	name.familyName
    Display name	displayName
    Job title	title
    Department	department
    Suspended (negated)	active

    Click Continue once the mapping matches the table.

Step 5: Assign Users

15. On the Provisioning scope page, choose which users Google should push:

    • All users — every active member of your Google Workspace tenant. Useful for small organisations.
    • Selected organizational units — limit to specific OUs. Recommended for staged rollouts.
    • Selected groups — limit to one or more Google groups.

16. On the Deprovisioning page, decide what Google should do when a user falls out of scope. We recommend Suspend immediately, delete after 24 hours: TheStorage will mark the user as inactive on the first sync and remove them on the second, giving you a 24-hour window to undo if someone gets unassigned by mistake.

Step 6: Turn Provisioning On

17. Click Finish, then toggle Auto-provisioning status to Active on the app's overview page.

18. Google runs the first sync within a few minutes. Open Auto-provisioning logs to track progress; each user should reach the status Success.

19. Open TheStorage's Users page and confirm the assigned users now appear with the Google Workspace badge on each row.

From here on, Google runs an incremental sync every few hours. If you've just changed a mapping and want to see the result without waiting, click Sync now on the app's auto-provisioning page.

Step 7 (Optional): Provision Profile Photos

Unlike Entra, Google's custom-app SCIM mapping does expose a Profile photo attribute, so a single extra mapping is enough to keep avatars in sync with each user's Google profile.

20. Open the TheStorage app in Google Admin and click Auto-provisioning > Manage provisioning.

21. Scroll to the bottom of the attribute mapping list and click Add mapping.

22. Configure:

    Field	Value
    Google attribute	Profile photo URL
    SCIM attribute	photos[type eq "photo"].value
    Multi-valued	enabled

23. Click Save, then Sync now to push the change immediately. Pick a test user with a photo in their Google profile and open their record in TheStorage — the avatar should land within one sync cycle.

Users with no Google profile photo are left with whatever avatar they uploaded in TheStorage, so the mapping never overwrites a manually-set image with an empty one.