How to connect to a Google Apps Directory using the Google Apps Connector

Configuring Your Google Account

If you wish to connect your Google Apps database to Access Manager you must first configure Google Apps to create a Service Account user that can be used to manage the Google accounts

  

Step 1: Creating a new Project

  1. To begin, a new project must be created in your Google Developers Console. Go to https://console.developers.google.com and login with a Google Account that has permission to manage users in the Google directory. Go to Project and select the Create Project option and enter a project name that you will be able to identify for Access Manager. 
  2. From the new project's home page go to the API Manager and locate and enable the Admin SDK in the Google Apps APIs section before continuing.
  3. Next go to the Credentials section and from the Create Credentials drop down select OAuth client ID.
  4. You may need go into the Consent page options and set a name before you can select an Application type. Once this is available select Web Application.
  5. New options will become available. First set a name, next under the Restrictions section you need to provide addresses. For Authorised JavaScript origins add two addresses 
    https://localhost
    https://ExternalURL

    Replace ExternalURL with an address that Google will be able to use to reach your Access Manager.

    Now in Authorised redirect URIs enter the same addresses with /completeWebAuth.html included in the path
    https://localhost/completeWebAuth.html
    https://ExternalURL/completeWebAuth.html

    Now select Create to complete the account creation.
  6. Take note of the Client ID and Client Secret that are provided, you will need these later.
  7. Now you will need to create a Service Account. From the Create Credentials drop down select Service Account Key.
  8. In the account creation set Service Account to New Service Account, set a name, and set the Key Type to P12. Select Create to continue and keep the P12 file that is downloaded. Also note the full Service Account name that is generated for this account.
  9. Select the Manage Service Accounts link above the Service Account section, on the far right of the new page three vertical dots indicate a menu for the service account, from here select Edit. Enable the Enable Google Apps Domain-wide Delegation option and set a Product Name to continue.
  10. You will now have all the details you require for configuring the the Google Apps Connector.

 

Step 2: Configure Google Security Settings

Go to your Google Apps Admin Console at https://admin.google.com/AdminHome and login. Select the Security option.

In the Security page select the API Reference section and enable the Enable API Access option, then select Show More and expand the Advanced Settings section, select Manage API Client Access

In the Manage API Client Access page you must enter the following value for scopes, Change the address in the first entry to match your own Access Manager's address and then copy and paste the entries from here, for the Client name use the Client ID for the OAuth Service Account that we noted earlier, and then save the changes:

 

https://www.googleapis.com/auth/admin.directory.group,https://www.googleapis.com/auth/admin.directory.group.member,https://www.googleapis.com/auth/admin.directory.orgunit,https://www.googleapis.com/auth/admin.directory.user,https://www.googleapis.com/auth/admin.directory.user.alias

 

 

Step 3: Decoding the Private Key

Before we can begin configuration of the Google Apps Connector it is necessary to decode the Private Key that was downloaded. The quickest way to do this is to first convert the certificate into Base 64 format.

If you are using OpenSSL to convert the certificate run the following command:

openssl base64 -in privatekey.p12 -out key.64

 

Creating the Directory

Step 4: Configuring Google Apps Directory in Access Manager

In Access Manager Google Apps directories are not automatically detected, when creating the directory you will need to select the Manually Configure option then select the Google Apps directory option.

On the Directory Configuration Page provide a directory name. Each option in the configuration will now require the appropriate entry that was collected earlier:
Admin Email: This is the email address of the user that created the new project.
Service Account Email: This is the full email name that was assigned to the Service Account that was created for the Private Key.
Private Key: The text from the converted Base 64 key file.
Customer Domain: The domain of the Google user database that is going to be managed.
OAuth2 Client ID: The service account name of the OAuth account that was first created.
OAuth2 Secret ID: The secret generated for the OAuth account.

 

Once all details are configured select Next.

 

Once the Directory configuration is complete the Google Apps directory will be available in Access Manager.

 

 

 

 

 

Have more questions? Submit a request

Comments

Powered by Zendesk