This guide presents how to use a shared account for a single Google Workspace app integration.

• This requires an existing Google Workspace app integration (the main integration) to already be configured.
• Each shared account will have its own Google Workspace app integration, so be sure to name them appropriately.
• Finally, to share the x.509 certificate between apps, it will be necessary to use Postman.

• Google Workspace App Integration

Creating the Shared App Integration

Create a new Google Workspace app integration and configure it as follows:

1. Set the domain to be the same domain as the main app integration (the domain where the shared account originates).
2. Select the links to display (it is possible to display more than one).

1. Click Save/Next and go to the Sign On tab.
2. In the Sign On tab, scroll down to the Credentials Details section and select Custom for the Application username format.
3. In the text box that appears below, enter the shared account name in double quotes and click Save.

Sharing the certificate to the new shared Google Workspace app instance.

Requirements

There is only one way to share an already existing certificate between two apps.

NOTE:

• App1 is the source app, respectively the app from which the certificate is shared, and is the main Google instance in Okta.
• App2 is the target app, meaning the app that receives the source app's certificate.

In order to share the existing certificate with the new app integration, the following is needed:

• User-based API access setup (super user access).
• Fork the Apps API collection and use it in the Postman environment.
• After the Postman environment with Okta is set up, share the certificates between apps.

Steps

1. In Postman, go to the Apps collection and use the List Apps API command to retrieve the appID for the app from which the certificate will be retrieved(App1).
2. Retrieve the keyID (kid) for the app that has the desired certificate (App1).
3. Retrieve the appID (id) for the app that will receive the cloned certificate (App2).
4. In Postman, go to the Apps collection > Certificate Operations and search for the API call: Share/Clone certificate.
5. The API call looks like this : {{url}}/api/v1/apps/app1ID/credentials/keys/{{keyIdForApp1}}/clone?targetAid=app2ID

Activating the new cert and Assigning Users

1. Now that the certificate has been shared with the new Google Workspace shared app, it can be activated.

2. Assign users/groups and test.

The expected result is when a user clicks on the shared Google Workspace app, a new tab will open for that Google app logged in as the shared account user.
 

NOTE: Using a shared account is not advisable for security reasons. These steps are provided as a workaround, and anyone who follows them assumes any security risk arising from using a shared account.

Related References

• How to share/clone a certificate between two Okta SAML applications?