Begin Scanning Third-Party Apps on the G Suite Marketplace
Enable SaaS Security API to discover third-party apps that your users attempt to install from G Suite Marketplace.
SaaS Security API can discover third-party apps that your users attempt to install from G Suite Marketplace. To protect your application ecosystem from unsanctioned third-party apps, enable SaaS Security API to scan for them by adding the G Suite Marketplace app. Afterward, you can remediate the risks.
To connect G Suite Marketplace app to SaaS Security API and begin scanning assets, you need to:
- Create a service account from Google Cloud Console.
- Enable Administrator and client API access from Google Admin Console.
- Add the G Suite Marketplace app to SaaS Security API.
For information on automated remediation capabilities with G Suite Marketplace, refer to Remediate Third-Party Apps.
Create Service Account for G Suite
As you prepare the G Suite account, take note of the following values, as they are required to add the G Suite Marketplace app on SaaS Security API:
New Private Key
A P12 format private key certificate issued from your Google service account. This required certificate is uploaded on SaaS Security API when adding the G Suite Marketplace app.
Private Key Password
The default password for the new private key.
The Client ID is entered when enabling G Suite domain-wide delegation, and on SaaS Security API when adding the G Suite Marketplace app.
Google Administrator account
The email entered to create a service account in G Suite Marketplace, and on SaaS Security API when adding the G Suite Marketplace app. This administrator account must have Super Admin role permissions.
- Log in to Google Cloud Console as a G Suite administrator with Super Admin role permissions.If you have not used the Google Cloud Console before,Agreeto the Google Cloud Platform Terms of Service. Otherwise, proceed to the next step.
- Create a new project from GCP.
- At the top of the screen, open your project list, then.NEW PROJECT
- Name your project (for example,SaaS Security API GSuite), select your organization (domain), thenCREATEthe project.
- Authorize OAuth consent for the new project.
- Select.APIs & ServicesOAuth consent screen
- SelectInternaluser type, thenCREATE.
- Specify anApplication name(for example,SaaS Security API) andSupport email.This is the name that displays on the Third-Party Apps page in SaaS Security web interface.
- SpecifyAuthorized domain—the domain name for your Google Administrator email, thenSAVEto authorize.
- Create the Service Account Key for the new project.
- Select.APIs & ServicesCredentialsCREATE CREDENTIALS
- SelectService accountand specify aService account name(for example,SaaS Security API), which automatically populates theService account ID, then, authorizing no optional permissions or access.CREATECONTINUEDONE
- Enable Domain-wide Delegation for the new service account.GCP creates a service account client when domain-wide delegation is enabled on a service account.
- Select.APIs & ServicesCredentialsManage service accounts
- Locate the service account, then.ActionsEdit
- SelectEnable G Suite Domain-wide Delegation.
- Select, thenADD KEYP12without specifying a role.CREATEAfter GCP issues a default password and new private key, your browser automatically downloads the new private key to your computer.
- Store the default password and key to a secure location as the key cannot be recovered if lost.
- Retrieve and save the Client ID for the new service account client.
- Select.APIs & ServicesCredentialsService Accounts: Manage service accounts
- InDomain wide delegation, clickView Client ID, then copy and save theClient ID.
- Enable API access for the new service account.
- SelectSaaS Security API GSuiteproject.
- Select.APIs & Services+ ENABLE APIS AND SERVICES
- Search for andENABLEthe following APIs:
- Google Drive API
- Google Admin SDK
- Google Audit API
- Log in to Google Admin Account as the G Suite administrator with Super Admin role permissions.
- Enable API client access to G Suite Marketplace.
- Select.SecurityApp access control (API Controls)Domain wide DelegationMANAGE DOMAIN WIDE DELEGATION
- ClickAdd new, then specify Client ID and required scopes.
- InClient Name, enter theClient IDthat you saved in 6.
- InOne or More API S copes, copy and paste the following scope, thenAUTHORIZEaccess to data in Google services.https://www.googleapis.com/auth/userinfo.email,https://www.googleapis.com/auth/userinfo.profile,https://www.googleapis.com/auth/drive.apps.readonly,https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/admin.directory.user.security,https://www.googleapis.com/auth/admin.reports.audit.readonly
Add G Suite Marketplace App
- On theDashboard,Add a Cloud App.
- SelectG Suite Marketplace, thenConnect to Account.
- Enter theGoogle Administrator Email(with Super Admin role permissions) and theClient IDthat you saved in 6.b.
- Upload theP12 CertificateGCP issued in 5.d.
- ClickOKto add the cloud app.
After authentication, SaaS Security API adds the new G Suite Marketplace app to the Cloud Apps list asG Suite Marketplacen, where n is the number of G Suite Marketplace app instances that you have connected to SaaS Security API. For example, if you added one G Suite Marketplace app, the name displays asG Suite Marketplace 1. You’ll specify a descriptive name soon.From this point forward, keep this project exclusively for SaaS Security API. Do not revoke, disable authorization, or change the project in any way. If you do, SaaS Security API stops scanning.
- When you successfully install the cloud app, anApp installedmessage displays and G Suite Marketplace app displays in theCloud Appslist.
- If you receive anUnable to perform this operationerror, fix the issue.
Customize G Suite Marketplace App
If you plan to manage more than one instance of G Suite Marketplace app, consider differentiating your instances.
- (Optional) Give a descriptive name to this app instance.
- Select theG Suite Marketplacen link on the Cloud Apps list.
- Enter a descriptiveName.
- ClickDoneto save your changes.
During the discovery phase, SaaS Security API scans for third party apps and the users that are using them. Even in the unusual case that none of your end users have installed a third party app, SaaS Security API still displays:
Fix G Suite Marketplace Issues
The most common or most important issues related to adding a G Suite Marketplace app are as follows:
When you add the G Suite Marketplace app in SaaS Security API, you receive an operation error:
Unable to perform this operation.
SaaS Security API requires that the combo (client ID, email, and key) be accurate.
If any one of those requirements is incorrect, SaaS Security API cannot authenticate and displays the same error.
When SaaS Security API returns the error, the SaaS Security web interface displays the email and clears the sensitive fields (client ID and P12 Certificate).
Verify that all three requirements are accurate. The Google Admin account must have Super Admin role permissions. Also, make sure you’re uploading the correct key. Lastly, verify that all three APIs are enabled as outlined in 7.
Your onboarding and initial discovery went smoothly, but SaaS Security API is no longer discovering third party apps that you know were installed. SaaS Security web interface does not display an error and the Cloud Apps list indicates
This issue can occur when an admin unintentionally disables API access or changes the SaaS Security API G Suite project on GCP. SaaS Security API depends on such authorization and immediately stops working when access is revoked.
Recommended For You
Recommended videos not found.