Signing up with Google Identity / Google Workspace

Prerequisites

A Google Identity or Google Workspace account and a Google IAM Service Account.

Create a new Service Account

Visit https://console.cloud.google.com/iam-admin/serviceaccounts and select or create a project.
Click Create Service Account
Fill in the required service account details and click Done

Create Service Account Screen

Select the newly created service account, navigate to the Keys tab and click Add Key, select JSON and save the key.

Add Key Screen

Keep the Service Account Email, Client ID and the saved key file at hand
Visit https://admin.google.com/ac/owl/domainwidedelegation
Under API Clients click Add new and fill out the Client ID, add the following scopes, and click Authorize:
- https://www.googleapis.com/auth/admin.directory.group.readonly
- https://www.googleapis.com/auth/admin.directory.user.readonly

Add New API Client Screen

Visit https://console.xplicittrust.com/#/signup/google

Sign Up Screen

Fill in the Service Account Email and the copy the contents of the downloaded JSON file into the Service Account Config
Click the Signup button.
Follow the Google login process.
You are now signed in to the XplicitTrust admin portal:
https://console.xplicittrust.com/

Why is a Google IAM Service Account required?

To allow XplicitTrust to query the isAdmin attribute and the group membership of users as well as fetching existing user groups for the group import, a service account has to be created that has the following scopes from the Admin SDK API :

Scope	Description	Reason
`https://www.googleapis.com/auth/admin.directory.group.readonly`	Read group information.	Required by the `User Groups` `Import` feature, that allows to import groups from the Google Directory to be used in XplicitTrust `Policies`.
`https://www.googleapis.com/auth/admin.directory.user.readonly`	Read user information.	Required to read the users `isAdmin` attribute, that indicates a user with administrator privileges.