4.0 Google Apps

Complete the following steps to configure Google Apps to allow user provisioning from Access Manager using SAM.

  1. Go to https://console.cloud.google.com/home/ and log in as your domain administrator.

  2. (Conditional) If you already have a Google Cloud project available, skip to Step 4.

  3. (Conditional) Create a Google Cloud project:

    1. Click Create project.

    2. Enter a project name, then click Create.

      The project’s dashboard appears. Refresh the page if necessary to see your project.

  4. Enable the Admin SDK API for your project:

    1. From the list in the top menu bar, select your project to access the project Dashboard.

    2. From the Navigation menu in the top menu bar, select APIs & Services > Library.

    3. Search for and select the Admin SDK service.

    4. Click Enable.

  5. Create and configure a service account:

    1. From the navigation menu in the top menu bar, select APIs & Services > Credentials.

    2. In the Credentials menu bar, select Create credentials > Service account.

    3. On the Create service account page:

      1. For Step 1, enter a value for the service account name. Click Create to go to Step 2.

      2. For Step 2, under Select a role, select Project > Owner. Click Continue to go to Step 3.

      3. For Step 3, click Done.

        The Credentials page shows your newly created service account.

    4. Click the edit (pencil) icon for the service account.

    5. Under Email, make note of the email address for the service account. You will need this when you configure the Google application in Access Manager.

    6. Under Unique ID, make note of the client ID. You will need this ID later in these steps.

    7. Click Show Domain-wide Delegation.

    8. Select Enable G Suite Domain-wide Delegation.

    9. In the Product name for the consent screen field, enter a name.

    10. Under Keys, select Add Key > Create new key.

    11. Ensure that the selected Key type is JSON, then click Create.

      Follow the prompts to download the certificate file. Make note of the name and location of the downloaded certificate for later use.

    12. After you have downloaded the certificate, click Close.

    13. Click Save to complete the service account setup.

  6. Configure G Suite security:

    1. Go to https://admin.google.com and log in as your domain administrator.

    2. From the Main menu in the top menu bar, select Security > API controls.

    3. At the bottom of the page, select Manage Domain-wide Delegation.

    4. Click Add new.

    5. For Client ID, paste the client ID of the service account that you created in Step 5.f.

    6. In OAuth scopes, paste the following comma-delimited string to grant read-only access:

      https://www.googleapis.com/auth/admin.directory.group,https://www.googleapis.com/auth/admin.directory.group.member,https://www.googleapis.com/auth/admin.directory.orgunit,https://www.googleapis.com/auth/admin.directory.user

    7. Click Authorize.

      You should now see your service account listed with Name, Client ID, and scopes as an authorized client of G Suite.

      The setup at Google is now complete.

  7. In the Access Manager administration console, configure the Google Apps application. Use the value for the service account email that you recorded in Step 5.e and the certificate file that you downloaded in Step 5.k.