Begin Scanning Third-Party Apps on the G Suite Marketplace

Enable SaaS Security API to discover third-party apps that your users attempt to install from G Suite Marketplace.
SaaS Security API can discover third-party apps that your users attempt to install from G Suite Marketplace. To protect your application ecosystem from unsanctioned third-party apps, enable SaaS Security API to scan for them by adding the G Suite Marketplace app. Afterward, you can remediate the risks.
To connect G Suite Marketplace app to SaaS Security API and begin scanning assets, you need to:
  • Create a service account from Google Cloud Console.
  • Enable Administrator and client API access from Google Admin Console.
  • Add the G Suite Marketplace app to SaaS Security API.
For information on automated remediation capabilities with G Suite Marketplace, refer to Remediate Third-Party Apps.

Create Service Account for G Suite

As you prepare the G Suite account, take note of the following values, as they are required to add the G Suite Marketplace app on SaaS Security API:
Item
Description
New Private Key
A P12 format private key certificate issued from your Google service account. This required certificate is uploaded on SaaS Security API when adding the G Suite Marketplace app.
Private Key Password
The default password for the new private key.
Client ID
The Client ID is entered when enabling G Suite domain-wide delegation, and on SaaS Security API when adding the G Suite Marketplace app.
Google Administrator account
The email entered to create a service account in G Suite Marketplace, and on SaaS Security API when adding the G Suite Marketplace app. This administrator account must have Super Admin role permissions.
  1. Log in to Google Cloud Console as a G Suite administrator with Super Admin role permissions.
    If you have not used the Google Cloud Console before,
    Agree
    to the Google Cloud Platform Terms of Service. Otherwise, proceed to the next step.
  2. Create a new project from GCP.
    1. At the top of the screen, open your project list, then
      NEW PROJECT
      .
    2. Name your project (for example,
      SaaS Security API GSuite
      ), select your organization (domain), then
      CREATE
      the project.
  3. Authorize OAuth consent for the new project.
    1. Select
      APIs & Services
      OAuth consent screen
      .
    2. Select
      Internal
      user type, then
      CREATE
      .
    3. Specify an
      Application name
      (for example,
      SaaS Security API
      ) and
      Support email
      .
      This is the name that displays on the Third-Party Apps page in SaaS Security web interface.
    4. Specify
      Authorized domain
      —the domain name for your Google Administrator email, then
      SAVE
      to authorize.
  4. Create the Service Account Key for the new project.
    1. Select
      APIs & Services
      Credentials
      CREATE CREDENTIALS
      .
    2. Select
      Service account
      and specify a
      Service account name
      (for example,
      SaaS Security API
      ), which automatically populates the
      Service account ID
      , then
      CREATE
      CONTINUE
      DONE
      , authorizing no optional permissions or access.
  5. Enable Domain-wide Delegation for the new service account.
    GCP creates a service account client when domain-wide delegation is enabled on a service account.
    1. Select
      APIs & Services
      Credentials
      Manage service accounts
      .
    2. Locate the service account, then
      Actions
      Edit
      .
    3. Select
      Enable G Suite Domain-wide Delegation
      .
    4. Select
      ADD KEY
      P12
      , then
      CREATE
      without specifying a role.
      After GCP issues a default password and new private key, your browser automatically downloads the new private key to your computer.
    5. Store the default password and key to a secure location as the key cannot be recovered if lost.
      SaaS Security API requires this key when you Add G Suite Marketplace App.
  6. Retrieve and save the Client ID for the new service account client.
    1. Select
      APIs & Services
      Credentials
      Service Accounts: Manage service accounts
      .
    2. In
      Domain wide delegation
      , click
      View Client ID
      , then copy and save the
      Client ID
      .
  7. Enable API access for the new service account.
    1. Select
      SaaS Security API GSuite
      project.
    2. Select
      APIs & Services
      + ENABLE APIS AND SERVICES
      .
    3. Search for and
      ENABLE
      the following APIs:
      • Google Drive API
      • Google Admin SDK
      • Google Audit API
  8. Log in to Google Admin Account as the G Suite administrator with Super Admin role permissions.
  9. Enable API client access to G Suite Marketplace.
    1. Select
      Security
      App access control (API Controls)
      Domain wide Delegation
      MANAGE DOMAIN WIDE DELEGATION
      .
    2. Click
      Add new
      , then specify Client ID and required scopes.
      • In
        Client Name
        , enter the
        Client ID
        that you saved in 6.
      • In
        One or More API S copes
        , copy and paste the following scope, then
        AUTHORIZE
        access to data in Google services.
        https://www.googleapis.com/auth/userinfo.email,https://www.googleapis.com/auth/userinfo.profile,https://www.googleapis.com/auth/drive.apps.readonly,https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/admin.directory.user.security,https://www.googleapis.com/auth/admin.reports.audit.readonly

Add G Suite Marketplace App

Before you add the G Suite Marketplace app, you must Create Service Account for G Suite.
  1. On the
    Dashboard
    ,
    Add a Cloud App
    .
  2. Select
    G Suite Marketplace
    , then
    Connect to Account
    .
  3. Enter the
    Google Administrator Email
    (with Super Admin role permissions) and the
    Client ID
    that you saved in 6.b.
  4. Upload the
    P12 Certificate
    GCP issued in 5.d.
  5. Click
    OK
    to add the cloud app.
    • When you successfully install the cloud app, an
      App installed
      message displays and G Suite Marketplace app displays in the
      Cloud Apps
      list.
    • If you receive an
      Unable to perform this operation
      error, fix the issue.
    After authentication, SaaS Security API adds the new G Suite Marketplace app to the Cloud Apps list as
    G Suite Marketplace
    n, where n is the number of G Suite Marketplace app instances that you have connected to SaaS Security API. For example, if you added one G Suite Marketplace app, the name displays as
    G Suite Marketplace 1
    . You’ll specify a descriptive name soon.
    From this point forward, keep this project exclusively for SaaS Security API. Do not revoke, disable authorization, or change the project in any way. If you do, SaaS Security API stops scanning.

Customize G Suite Marketplace App

If you plan to manage more than one instance of G Suite Marketplace app, consider differentiating your instances.
  1. (
    Optional
    ) Give a descriptive name to this app instance.
  2. Select the
    G Suite Marketplace
     n link on the Cloud Apps list.
  3. Enter a descriptive
    Name
    .
  4. Click
    Done
    to save your changes.

Identify Risks

During the discovery phase, SaaS Security API scans for third party apps and the users that are using them. Even in the unusual case that none of your end users have installed a third party app, SaaS Security API still displays:
  1. Start scanning to begin discovery.
    • G Suite Administrator as a
      Top User
      .
    • G Suite as one of the
      Unclassified
      third party apps. You can
      Approve
      it, but you cannot
      Block
      it.

Fix G Suite Marketplace Issues

The most common or most important issues related to adding a G Suite Marketplace app are as follows:
Symptom
Explanation
Solution
When you add the G Suite Marketplace app in SaaS Security API, you receive an operation error:
Unable to perform this operation
.
SaaS Security API requires that the combo (client ID, email, and key) be accurate.
If any one of those requirements is incorrect, SaaS Security API cannot authenticate and displays the same error.
When SaaS Security API returns the error, the SaaS Security web interface displays the email and clears the sensitive fields (client ID and P12 Certificate).
Verify that all three requirements are accurate. The Google Admin account must have Super Admin role permissions. Also, make sure you’re uploading the correct key. Lastly, verify that all three APIs are enabled as outlined in 7.
Your onboarding and initial discovery went smoothly, but SaaS Security API is no longer discovering third party apps that you know were installed. SaaS Security web interface does not display an error and the Cloud Apps list indicates
Monitoring
.
This issue can occur when an admin unintentionally disables API access or changes the SaaS Security API G Suite project on GCP. SaaS Security API depends on such authorization and immediately stops working when access is revoked.
As outlined in 1, do not change the project. If you reauthenticate and SaaS Security API cannot authenticate, the cause is likely due to a change to your project. If so, you’ll need to repeat the onboarding process.

Recommended For You