The connector for Google Apps uses an OAuth 2.0 federated connection to provision the user accounts from the identity source to Google Apps. To create this federated connection, you must create a Google service account. For more information about this process, see Using OAuth 2.0 for Server to Server Applications
.
You must create this service account before you can configure the connector for Google Apps. To create the service account, follow the instructions on the Google developer site: Creating a service account
.
When you create the service account, enable the following API:
Admin SDK
In addition, when you create the service account, record the following information. You will need this information when you configure the connector for Google Apps:
Service account’s email address
Path to the P12 private key file
Finally, you must delegate domain-wide authority to the service account. This step grants the service account access to the Google resources that CloudAccess needs to access to provision the user accounts and allow single sign-on. To grant domain-wide authority, follow the instructions on the Google developer site: Delegating domain-wide authority to the service account
.
Add the following Google scopes in a comma-separated format to grant the correct authorizations:
https://www.googleapis.com/auth/admin.directory.group
https://www.googleapis.com/auth/admin.directory.group.member
https://www.googleapis.com/auth/admin.directory.orgunit
https://www.googleapis.com/auth/admin.directory.user
NOTE:The format of the Google scopes is a comma-delimited list without any hard returns or line breaks. Ensure that when you copy these Google scopes, there are no hard returns or line breaks in the text.