Twingate integrates with G Suite in order to both synchronize user accounts and delegate user authentication to Google. Only users that are active in your G Suite domain will be able to use Twingate and access private resources.
Twingate delegates user authentication to Google. The user's email address must match the G Suite domain you configured at activation for access to be authorized. Users without an address matching your domain will not be able to authenticate and use Twingate.
This domain restriction also applies to admin users of the Twingate admin console. Additional admin users can be set within the Twingate admin console.
User and group synchronization is performed via the G Suite API. In order to enable synchronization, an admin must authorize Twingate to access user and groups information for your G Suite domain. This is done from the Identity Provider section of the admin console.
The user authorizing user sync must have one of the following admin roles in G Suite:
- A Super Admin
- A Groups Admin
- A User Management Admin
- A Help Desk Admin
- A custom admin role with at least a "Users: Read" and "Groups: Read" permissions under the Admin API.
(More information on G Suite administrator roles can be found in Google's Help Center.)
Once you have authorized Twingate to access user information, all users and groups in your domain will be synchronized with Twingate automatically. User accounts that exist, but are marked inactive in G Suite, will also be marked inactive in Twingate. Inactive users will be unable to authenticate and therefore will be unable to connect to Twingate.
Updated 2 months ago