The Admin Settings API allows administrators of Google Workspace domains to retrieve and change the settings of their domains in the form of Google Data API feeds.
These domain settings include many of the features available in the Google Workspace Admin console. Example uses of this API include creating a custom control panel or integrating Google Workspace domains into an existing legacy environment.
The Admin Settings API implements the Google Data API protocol. The Google Data API conforms to the Atom Publishing Protocol (AtomPub) publishing and editing model. The AtomPub HTTP requests use the Representational Set Transfer (RESTful) design approach to web services. For more information, see the Google Data Developer's Guide.
Audience
This document is intended for developers who want to write client applications that can modify and retrieve information about Google Workspace domains. It provides examples of the basic Admin Settings API interactions using raw XML and HTTP.
This document assumes that you understand the general ideas behind the Google Data API protocol, and that you are familiar with the Google Workspace Admin console. For more information about the Admin console, see Use your Admin console.
Getting Started
Creating an account
The Admin Settings API is enabled for Google Workspace accounts. Sign up for a Google Workspace account for testing purposes. The Admin Settings service uses Google Accounts, so if you already have an account on a Google Workspace domain, you're all set.
About the Admin Settings API feed types
The Admin Settings API allows you to manage these categories of domain settings:
- Single Sign-On settings
SAML-based Single Sign-On (SSO) allows users to use the same login and password for both Google Workspace hosted services as well as other services you may be hosting within your organization. Specifically when using SSO, a hosted web application, such as Google Workspace, redirects users to your organization's identity provider to authenticate users when they log in. For detailed information, see Understanding SAML-based SSO for Google Workspace.
Configuring SSO involves entering the necessary information for the Google Workspace service to communicate with the identity provider that stores your users' login information, as well as setting up the links users should be sent to for logging in, logging out, and for changing their passwords. The Admin Settings API allows you to update and retrieve these settings programmatically. Google uses your generated public key to verify this SSO request with your identity provider and that the private key SAML response was not modified during the network transmission.
For a short API specific summary of using the SSO settings, get your public key certificate from your identity provider, register the public key with Google, and set up your SAML-based SSO query settings. For error messages, see Troubleshooting SSO:- Generate your keys -- With your identity provider, generate a set of public and private keys using either the DSA or RSA algorithms. The public key is in an X.509 formatted certificate. For more information about SAML-based Single Sign-On signing keys, see Generating Keys and Certificates for Google Workspace Single Sign-On Service.
- Register with Google -- Use Admin Settings API's Single Sign-On settings to register your public key certificate with Google.
- Set up your SSO settings -- Use Admin Settings API's Single Sign-On settings to configure the settings used to communication with the domain's identity provider's servers.
- Gateway and routing settings
This feed lets domain administrators control routing of email for their domains.
The email routing operations allow administrators to specify the domain-level email routing settings. This is similar to the email routing functionality of the Admin console's Gmail settings. For more information, see Email routing and email routing feature's dual delivery configuration.
Sample of an Admin Settings API XML request and response
This document provides code examples of basic Admin Settings API requests and responses using raw XML and HTTP. This domain default language example shows the full XML and HTTP syntax for a request and response entry's body which is common to each operation:
To change domain's outbound email gateway setting, send an HTTP PUT
to the gateway feed URL:
https://apps-apis.google.com/a/feeds/domain/2.0/{domainName}/email/gateway
The domain default language PUT
request AtomPub entry
XML is:
<atom:entry xmlns:atom='http://www.w3.org/2005/Atom'
xmlns:apps='http://schemas.google.com/apps/2006'>
<apps:property name='smartHost' value='smtp.out.domain.com' />
<apps:property name='smtpMode' value='SMTP' />
</atom:entry>
Except for the operation-specific properties and values, the atom:property
elements represents a single key-value pair containing information about a property that you wish to retrieve or update. These are common to all Admin Settings API request bodies.
The domain default language response entry
element returns the smartHost
and smtpMode
properties along with the XML syntax common to all Admin Settings API response bodies:
<?xml version='1.0' encoding='UTF-8'?>
<entry xmlns='http://www.w3.org/2005/Atom' xmlns:apps='http://schemas.google.com/apps/2006'>
<id>https://apps-apis.google.com/a/feeds/domain/2.0/domainName/email/gateway</id>
<updated>2008-12-17T23:59:23.887Z</updated>
<link rel='self' type='application/atom+xml' href='https://apps-apis.google.com/a/feeds/domain/
2.0/domainName/email/gateway'/>
<link rel='edit' type='application/atom+xml' href='https://apps-apis.google.com/a/feeds/domain/
2.0/domainName/email/gateway'/>
<apps:property name='smartHost' value='smtp.out.domain.com' />
<apps:property name='smtpMode' value='SMTP' />
</entry>
Managing Single Sign-On settings
The Google Workspace Single Sign-On feature (SSO) lets users log on to multiple services while only having to enter a login and password once. This password is stored by the domain's identity provider, not by Google Workspace. For more information, see the Help Center's SSO page. The following sections demonstrate the XML format used for Single Sign-On settings.
Retrieving Single Sign-On settings
To retrieve Single Sign-On settings, send an HTTP GET
to the SSO general feed URL, and include an Authorization
header as described in Authenticating to the Admin Settings service. And, for error messages, see Troubleshooting SSO:
https://apps-apis.google.com/a/feeds/domain/2.0/{domainName}/sso/general
This operation has no parameters in the request body.
A successful response returns an HTTP 200 OK
status code, along with an AtomPub feed with the domain's SSO settings.
The GET response XML returns the samlSignonUri
, samlLogoutUri
, changePasswordUri
, enableSSO
, ssoWhitelist
, and useDomainSpecificIssuer
properties:
<?xml version='1.0' encoding='UTF-8'?>
<entry xmlns='http://www.w3.org/2005/Atom' xmlns:apps='http://schemas.google.com/apps/2006'>
<apps:property name='samlSignonUri' value='http://www.example.com/sso/signon'/>
...
<apps:property name='samlLogoutUri' value='http://www.example.com/sso/logout'/>
<apps:property name='changePasswordUri' value='http://www.example.com/sso/changepassword'/>
<apps:property name='enableSSO' value='true'/>
<apps:property name='ssoWhitelist' value='CIDR formatted IP address'/>
<apps:property name='useDomainSpecificIssuer' value='false'/>
</entry>
The properties include:
- samlSignonUri
- The identity provider's URL where Google Workspace sends the SAML request for user authentication.
- samlLogoutUri
- The address that users will be sent to when they log out of the web application.
- changePasswordUri
- The address that users will be sent to when they want to change their SSO password for the web application.
- enableSSO
- Enables SAML-based SSO for this domain. If you have previously configured SSO settings, and you have subsequently set
enableSSO
toenableSSO=false
, the settings you have previously entered are still saved. - ssoWhitelist
- A ssoWhitelist is a network mask IP address in Classless Inter-Domain Routing (CIDR) format. The ssoWhitelist determines which users log in using SSO and which users log in using the Google Workspace account authentication page. If no masks are specified, all users will log in using SSO. For more information, see How do network masks work.
- useDomainSpecificIssuer
- A domain specific issuer can be used in the SAML request to the identity provider. Though not necessary for most SSO deployments, this feature is useful in large companies using a single identity provider to authenticate an entire organization with multiple subdomains. Giving the specific domain issuer determines which subdomain to associate with the request. For more information, see How does the Issuer element in the SAML request work?
If your request fails for some reason, a different status code is returned. For more information about the Google Data API status codes, see HTTP status codes.
Updating Single Sign-On settings
To update a domain's SSO settings, first retrieve the SSO settings using the Retrieving Single Sign-On settings operation, modify it, and then send a PUT
request to the SSO feed URL. Be sure the <id>
value is in your updated entry exactly matches the <id>
of the existing entry. Include an Authorization
header as described in Authenticating to the Admin Settings API service. And, for error messages, see Troubleshooting SSO.
When updating Single Sign-On settings, send an HTTP PUT to the SSO general feed URL:
https://apps-apis.google.com/a/feeds/domain/2.0/{domainName}/sso/general
The XML body of the PUT
request is:
<atom:entry xmlns:atom='http://www.w3.org/2005/Atom' xmlns:apps='http://schemas.google.com/apps/2006'>
<apps:property name='enableSSO' value='false' />
<apps:property name='samlSignonUri' value='http://www.example.com/sso/signon' />
<apps:property name='samlLogoutUri' value='http://www.example.com/sso/logout' />
<apps:property name='changePasswordUri' value='http://www.example.com/sso/changepassword' />
<apps:property name='ssoWhitelist' value='127.0.0.1/32' />
<apps:property name='useDomainSpecificIssuer' value='false'/>
</atom:entry>
A successful response returns an HTTP 200 OK
status code, along with an AtomPub feed with the SSO settings.
The PUT
response XML is:
<?xml version='1.0' encoding='UTF-8'?>
<entry xmlns='http://www.w3.org/2005/Atom' xmlns:apps='http://schemas.google.com/apps/2006'>
...
<apps:property name='samlSignonUri' value='http://www.example.com/sso/signon'/>
<apps:property name='samlLogoutUri' value='http://www.example.com/sso/logout'/>
<apps:property name='changePasswordUri' value='http://www.example.com/sso/changepassword'/>
<apps:property name='enableSSO' value='false'/>
<apps:property name='ssoWhitelist' value='127.0.0.1/32'/>
<apps:property name='useDomainSpecificIssuer' value='false'/>
</entry>
If your request fails for some reason, a different status code is returned. For more information about the Google Data API status codes, see HTTP status codes.
Changes to Single Sign-On settings are disallowed when the target customer has enabled Multi-party approval for sensitive actions. Requests will fail with errorCode="1811"
and reason="LegacyInboundSsoChangeNotAllowedWithMultiPartyApproval"
.
Retrieving the Single Sign-On signing key
To retrieve the Single Sign-On signing key, send an HTTP GET
to the SSO signing key feed URL, and include an Authorization
header as described in Authenticating to the Admin Settings service. And, for error messages, see Troubleshooting SSO:
https://apps-apis.google.com/a/feeds/domain/2.0/{domainName}/sso/signingkey
This operation has no parameters in the request body.
A successful response returns an HTTP 200 OK
status code, along with an AtomPub feed with the signing key.
The GET
response XML returns the signingKey
property:
<?xml version='1.0' encoding='UTF-8'?>
<entry xmlns='http://www.w3.org/2005/Atom' xmlns:apps='http://schemas.google.com/apps/2006'>
...
<apps:property name='signingKey' value='yourBase64EncodedPublicKey'/>
</entry>
If your request fails for some reason, a different status code is returned. For more information about the Google Data API status codes, see HTTP status codes.
Updating the Single Sign-On signing key
To update a domain's SSO signing key, first retrieve the signing key using the Retrieving Single Sign-On signing key operation, modify it, and then send a PUT
request to the SSO signing key feed URL. Be sure the <id>
value is in your updated entry exactly matches the <id>
of the existing entry. For more information about SAML-based Single Sign-On signing keys, see Generating Keys and Certificates for Google Workspace Single Sign-On Service.
When updating Single Sign-On signing key, send an HTTP PUT
to the SSO signing key feed URL:
https://apps-apis.google.com/a/feeds/domain/2.0/{domainName}/sso/signingkey
The PUT
request XML is:
<atom:entry xmlns:atom='http://www.w3.org/2005/Atom' xmlns:apps="http://schemas.google.com/apps/2006">
<apps:property name='signingKey' value='yourBase64EncodedPublicKey'/>
</atom:entry>
Changes to Single Sign-On settings are disallowed when the target customer has enabled Multi-party approval for sensitive actions. Requests will fail with errorCode="1811"
and reason="LegacyInboundSsoChangeNotAllowedWithMultiPartyApproval"
.
Managing email gateway and routing
The outbound email gateway section shows how the Admin Settings API supports the outbound routing of mail from users in your domain. The email routing section shows how to route messages to another mail server.
Retrieving outbound email gateway settings
To retrieve outbound email gateway settings, send an HTTP GET
to the gateway feed URL, and include an Authorization
header as described in Authenticating to the Admin Settings service:
https://apps-apis.google.com/a/feeds/domain/2.0/{domainName}/email/gateway
This operation has no parameters in the request body.
A successful response returns an HTTP 200 OK status code, along with an AtomPub feed with the email gateway status information.
The GET
response returns the smartHost
and smtpMode
properties. For more information about these properties, see Updating outbound email gateway settings.
An example of a possible response is:
<?xml version='1.0' encoding='UTF-8'?>
<entry xmlns='http://www.w3.org/2005/Atom' xmlns:apps='http://schemas.google.com/apps/2006'>
...
<apps:property name='smartHost' value='smtpout.domain.com'/>
<apps:property name='smtpMode' value='SMTP'/>
</entry>
If your request fails for some reason, a different status code is returned. For more information about the Google Data API status codes, see HTTP status codes.
Updating outbound email gateway settings
To update a domain's outbound email gateway setting, send an HTTP PUT
request to the gateway feed URL:
https://apps-apis.google.com/a/feeds/domain/2.0/{domainName}/email/gateway
The PUT
request XML is:
<atom:entry xmlns:atom='http://www.w3.org/2005/Atom' xmlns:apps="http://schemas.google.com/apps/2006">
<apps:property name='smartHost' value='smtp.out.domain.com' />
<apps:property name='smtpMode' value='SMTP' />
</atom:entry>
The request properties are:
- smartHost
- Either the IP address or hostname of your SMTP server. Google Workspace routes outgoing mail to this server.
- smtpMode
- The default value is SMTP. Another value, SMTP_TLS, secures a connection with TLS when delivering the message.
A successful response returns an HTTP 200 OK
status code, along with the AtomPub feed with the email gateway settings status.
If your request fails for some reason, a different status code is returned. For more information about the Google Data API status codes, see HTTP status codes.
Managing email routing settings
First, create an XML request:
<atom:entry xmlns:atom='http://www.w3.org/2005/Atom' xmlns:apps="http://schemas.google.com/apps/2006">
<apps:property name='routeDestination' value='route-smtp.domain.com'/>
<apps:property name='routeRewriteTo' value='true'/>
<apps:property name='routeEnabled' value='true'/>
<apps:property name='bounceNotifications' value='true'/>
<apps:property name='accountHandling' value='can be either allAccounts | provisionedAccounts | unknownAccounts'/>
</atom:entry>
The request properties are:
- routeDestination
- This destination is the hostname or IP address of the SMTP-In mail server where the email is being routed. The hostname or IP address must resolve for Google. For more details on resolving mail host names, see Pilot Google Workspace with email routing.
- routeRewriteTo
- If true, the message's SMTP envelope's
to:
field is changed to the destination hostname (user@destination's hostname), and the message is delivered to this user address on the destination mail server. Iffalse
, the email is delivered to the original message'sto:
email address (user@original hostname) on the destination mail server. This is similar to the Admin console's 'Change SMTP envelope' setting. For more information, see Domain settings for email routing. - routeEnabled
- If
true
, the email routing functionality is enabled. Iffalse
, the functionality is disabled. - bounceNotifications
- If
true
, Google Workspace is enabled to send bounce notifications to the sender when a delivery fails. - accountHandling
This setting determines how different types of users in the domain are affected by email routing:
allAccounts
-- Deliver all email to this destination.provisionedAccounts
-- Deliver mail to this destination if the user exists in Google Workspace.unknownAccounts
-- Deliver mail to this destination if the user does not exist in Google Workspace. This is similar to the Admin console's 'Delivery email for' setting. For more information about prerequisites and how to use mail routing, see Domain settings for email routing. ~ To publish this request, send an HTTPPOST
to the email routing feed URL, and include anAuthorization
header as described in Authenticating to the Admin Settings service:
https://apps-apis.google.com/a/feeds/domain/2.0/{domainName}/emailrouting
A successful response returns an HTTP 200 OK
status code, along with an AtomPub feed with the archive information.
If your request fails for some reason, a different status code is returned. For more information about the Google Data API status codes, see HTTP status codes.
Endpoints sunset on Oct 31, 2018
We deprecated the following endpoints as part of this announcement. They were sunset on October 31, 2018 and are no longer available.
- https://apps-apis.google.com/a/feeds/domain/2.0/{domainName}/general/defaultLanguage
- https://apps-apis.google.com/a/feeds/domain/2.0/{domainName}/general/organizationName
- https://apps-apis.google.com/a/feeds/domain/2.0/{domainName}/general/currentNumberOfUsers
- https://apps-apis.google.com/a/feeds/domain/2.0/{domainName}/general/maximumNumberOfUsers
- https://apps-apis.google.com/a/feeds/domain/2.0/{domainName}/accountInformation/supportPIN
- https://apps-apis.google.com/a/feeds/domain/2.0/{domainName}/accountInformation/customerPIN
- https://apps-apis.google.com/a/feeds/domain/2.0/{domainName}/accountInformation/adminSecondaryEmail
- https://apps-apis.google.com/a/feeds/domain/2.0/{domainName}/accountInformation/edition
- https://apps-apis.google.com/a/feeds/domain/2.0/{domainName}/accountInformation/creationTime
- https://apps-apis.google.com/a/feeds/domain/2.0/{domainName}/accountInformation/countryCode
- https://apps-apis.google.com/a/feeds/domain/2.0/{domainName}/appearance/customLogo
- https://apps-apis.google.com/a/feeds/domain/2.0/{domainName}/verification/mx