Configuring a Google Apps Directory using a JSON key in Access Manager 1.3-RG2

If you wish to connect your Google Apps database to Access Manager you must first configure Google Apps to create a Service Account user that can be used to manage the Google accounts

 

Creating a new Project

1. To begin, a new project must be created in your Google Developers Console. Go to https://console.developers.google.com and login with a Google Account that has permission to manage users in the Google directory. From the Dashboard create a new project and assign a name that you will be able to identify for Access Manager.

2. With the new project selected go to the API Manager > Library, then locate and enable the Admin SDK in the Google Apps APIs section.

3. Next go to the Credentials section and from the Create Credentials drop down select OAuth client ID.

4. You may need go into the Consent page options and set a name before you can select an Application type. Once this is available select Web Application.

5. New options will become available. First set a name, next under the Restrictions section you need to provide addresses. For Authorised JavaScript origins add two addresses
https://localhost
https://AccessManagerURL

Replace AccessManagerURL with the address used by your users to connect to Access Manager.

Now in Authorised redirect URIs enter the same addresses with /completeWebAuth.html included in the path
https://localhost/completeWebAuth.html
https://AccessManagerURL/completeWebAuth.html

Now select Create to complete the account creation.

6. Take note of the Client ID and Client Secret that are provided, you will need these later.

7. Now you will need to create a Service Account. From the Create Credentials drop down select Service Account Key.

8. In the account creation set Service Account to New Service Account, set a name, and set the Key Type to JSON. Select Create to continue and keep the JSON file that is downloaded, the full text of this will be required.

9. Select the Manage Service Accounts link above the Service Account section, on the far right of the new page three vertical dots indicate a menu for the service account, from here select Edit. Enable the Enable Google Apps Domain-wide Delegation option and save.

10. Now select the View Client ID and make a note of the Client ID of the service account.

11. You will now have all the details you require for configuring the the Google Apps Connector.

 

Configure Google Security Settings

Go to your Google Apps Admin Console at https://admin.google.com/AdminHome and login. Select the Security option.

In the Security page select the API Reference section and enable the Enable API Access option, then select Show More and expand the Advanced Settings section, select Manage API Client Access.

In the Manage API Client Access page you must enter the following value for Scopes, you can copy and paste the entries from here, for the Client name use the Client ID from the Service Account that we noted earlier, and then save the changes:

https://www.googleapis.com/auth/admin.directory.group,https://www.googleapis.com/auth/admin.directory.group.member,https://www.googleapis.com/auth/admin.directory.orgunit,https://www.googleapis.com/auth/admin.directory.user,https://www.googleapis.com/auth/admin.directory.user.alias

This completes the steps for Google Apps configuration, in Access Manager you can now create the Google Apps Directory.

 

Configuring Google Apps Directory in Access Manager

In Access Manager the Google Apps databases are not automatically detected, when creating the directory you will need to select the Manually Configure option then select the Google Apps directory option.

On the Configure Directory page provide a directory name. Each option in the configuration will now require the appropriate entry that was collected earlier:

Admin Email: This is the email address of the user that created the new project.
Customer Domain: The domain of the Google user database that is going to be managed.
Service Account Json: The full text from the JSON key file that was provided for the service account.
OAuth2 Client ID: The service account name of the OAuth account that was first created.
OAuth2 Secret ID: The secret generated for the OAuth account.

Once all details are configured select Next to allow the directory to be created and populated..

Have more questions? Submit a request

Comments

Powered by Zendesk