Signing up with Google Identity / Google Workspace

Prerequisites

A Google Identity or Google Workspace account and a Google IAM Service Account.

Create a new Service Account

Visit https://console.cloud.google.com/iam-admin/serviceaccounts and select or create a project.
Click Create Service Account
Fill in the required service account details and click Done

Create Service Account Screen

Select the newly created service account, navigate to the Keys tab and click Add Key, select JSON and save the key.

Add Key Screen

Visit https://admin.google.com/ac/owl/domainwidedelegation
Under API Clients click Add new, paste the service account's Client ID (visible on the service account's detail page in Google Cloud, or as the client_id field in the downloaded JSON file), add the following scopes, and click Authorize:
- https://www.googleapis.com/auth/admin.directory.group.readonly
- https://www.googleapis.com/auth/admin.directory.user.readonly

Add New API Client Screen

Pick (or create) a Google Workspace user with admin privileges sufficient to read users and groups. You will enter this user's email address as the Service Account User during signup — the service account does not have a Workspace identity itself, so it impersonates this admin user via Domain-Wide Delegation when calling the Admin SDK.

Visit https://console.xplicittrust.com/#/signup/google

Sign Up Screen

Fill in the email address of the Workspace admin user from the previous step as the Service Account User, and upload the downloaded JSON key file as the Service Account Config.
Click the Signup button.
Follow the Google login process.
You are now signed in to the XplicitTrust admin portal:
https://console.xplicittrust.com/

Why is a Google IAM Service Account required?

To allow XplicitTrust to query the isAdmin attribute and the group membership of users as well as fetching existing user groups for the group import, a service account has to be created that has the following scopes from the Admin SDK API :

Scope	Description	Reason
`https://www.googleapis.com/auth/admin.directory.group.readonly`	Read group information.	Required by the `User Groups` `Import` feature, that allows to import groups from the Google Directory to be used in XplicitTrust `Policies`.
`https://www.googleapis.com/auth/admin.directory.user.readonly`	Read user information.	Required to read the users `isAdmin` attribute, that indicates a user with administrator privileges.