Google Workspace Employee Directory Integration enables you to synchronise your Google Workspace directories to your CanIPhish account. When an employee is added to a Workspace Group, that employee will automatically be synchronised to the relevant CanIPhish employee listings. This document describes how to synchronise Workspace Groups to CanIPhish. This will automate the process of adding or removing employees from phishing and security awareness training campaigns.
Note: It is required to have a Google Workspace Account.
Integrating with CanIPhish
To integrate your Google Workspace Directory with CanIPhish, log in to your account and navigate to Employees > Directory Sync.
Click Google Workspace and then input a unique Directory Name. Once provided, click Sync Directory.
If your browser doesn't already have an active Google session, you'll be prompted to login via the Google login portal. Once signed in, you'll be prompted to authorise the CanIPhish Google Client to access several APIs within your Google account. Make sure all scopes are ticked and then click 'Continue' to authorise the access.
Note: Access to all scopes is required to successfully setup the integration. Click here to understand in further detail what information we're accessing.
Once authorised, you'll be immediately redirected to the CanIPhish Employees page and notified on the status of the integration. You should observe a success notification on the top right hand side of your screen, along with directory being visible as 'Active'.
Once synchronised, you will be able to create a new employee listing that leverages security groups within that directory. To setup your first employee listing, exit the directory synchronisation view and click on New Employee List.
Specify an Employee List Name, click on Import From Directory and select the Directory synced in the previous step. Wait up to 30 seconds for the Directory Groups to load and then select one or more Groups for CanIPhish to sync with and then click Sync Directory.
Note: For Google Workspace integrations, the Directory Attribute Mapping cannot be changed. If this negatively impacts your organisation, please contact CanIPhish and we'll be happy to investigate this.
Once synchronised your employees will appear in the table beneath the sync button. When happy that the required employees have been synchronised with CanIPhish, simply click Save.
All done!!! CanIPhish will synchronise any changes in your directory groups to your CanIPhish employee listing every 24 hours. To action changes earlier than that, simply manually update the employee listing and resynchronise the directory group across.
Appendix: Additional Information on Google API Scopes
We'll be accessing APIs that allow us to read information relating to directory groups, group members and individual employees. Additionally, we'll read information from your google profile so we can determine what user has authorised the API access, which will then be readable within your CanIPhish tenant. The below table outlines the scopes we're accessing in detail:
DirectoryService.Scope.AdminDirectoryUserReadonly
Provides CanIPhish with access to read employee information such as first names, last names, email addresses, organisation names and job titles. All of which are used to personalise phishing campaigns and make them appear realistic.
DirectoryService.Scope.AdminDirectoryGroupReadonly
Provides CanIPhish with access to read group information such as group names and IDs. This is used to provide you with the option of targeting a subset of users within your environment.
DirectoryService.Scope.AdminDirectoryGroupMemberReadonly
Provides CanIPhish with access to read group member information such as email addresses of users associated to a group. This information is used to determine what user information needs to be read.
PeopleServiceService.Scope.UserinfoProfile
Provides CanIPhish with access to read the first name and last name of the user authorising the CanIPhish client application.
PeopleServiceService.Scope.UserinfoEmail
Provides CanIPhish with access to read the primary email address of the user authorising the CanIPhish client application.
Comments
0 comments
Please sign in to leave a comment.