Skip to main content
NEW: RSAC 2026 NHI Field Report. How Non-Human Identity became cybersecurity's central axis
Integrations//
Setup Guide

Google Workspace SCIM Provisioning

Provision Argus users from Google Workspace via SCIM 2.0. Automatic group sync, required attributes (email, displayName, active), and real-time deprovisioning.

About this guide

This comprehensive guide will walk you through the complete setup process. Expected completion time: 5-10 minutes.

Overview

Google Workspace SCIM provisioning syncs users and groups from Workspace to Argus. When an account is suspended, archived, or removed in Workspace, their Argus access is revoked automatically. Optional OU-level scope lets you limit provisioning to specific departments.

Prerequisites

  • Argus Enterprise plan
  • Google Workspace Super Admin role
  • SCIM provisioning enabled in the Workspace Admin Console

Step-by-Step Setup

Step 1: Create the SCIM provider in Argus

  • Argus > Enterprise > Directory Sync > Add Directory Provider
  • Provider Name: 'Google Workspace Production' or similar
  • Provider Type: Google Workspace
  • Argus displays the SCIM base URL and a one-time bearer token

Step 2: Add Argus as a SCIM app in Workspace

  • Google Admin Console > Apps > Web and mobile apps > Add app > Add custom SAML app
  • Follow the SAML SSO guide first to complete the SAML side
  • After SAML is saved, go to User provisioning and click Get started

Step 3: Configure SCIM endpoints in Workspace

  • Endpoint URL: paste the SCIM base URL from Argus
  • Access token: paste the one-time bearer token from Argus
  • Click Test connection; expect a success response

Step 4: Set scope and attribute mapping

  • Scope: select the OUs or groups that should be provisioned into Argus
  • Attribute mapping: ensure email, givenName, familyName, active map to the SCIM equivalents
  • Click Continue, review, and turn provisioning ON

Verification

To confirm the integration is configured correctly:

  • Test connection returns a success status and expected service name
  • Adding a user to the provisioned OU surfaces them in Argus within 1 minute
  • Suspending an account in Workspace immediately revokes Argus sessions
  • Workspace provisioning logs show no attribute mapping errors

Troubleshooting

Issue: Users in a specific OU are not provisioning.

  • Solution: Either the OU is not in the app's scope, or the users lack the required attributes (first name, last name, email). Check Workspace Admin Console > Apps > Cremit Argus > User provisioning > Scope.

Issue: SCIM connection works but no events fire.

  • Solution: Make sure provisioning is set to ON after initial configuration. Workspace starts in 'Test only' mode until you explicitly enable it.

Key Benefits

  • Automatic deprovisioning on Workspace suspend closes offboarding gaps
  • OU-scoped provisioning keeps personal or contractor accounts out
  • Works hand-in-hand with the Google Workspace SAML provider for full SSO + SCIM
  • Workspace audit log + Argus audit log give you a two-sided paper trail
Ready to connect

Start securing your infrastructure

Connect this integration to Cremit and start protecting your machine identities in minutes

Quick Links

All IntegrationsAll Setup GuidesCremit Dashboard

Need help?

Our support team is here to assist you with the integration process.

By the numbers

5-10 min
Setup time
24/7
Monitoring
Real-time
Alerts