Access Manager: Configuring a Google Apps Connector

system
This article is marked as obsolete.

If you wish to connect your Google Apps database to Access Manager you must first configure Google Apps to create a Service Account user that can be used to manage the Google accounts

Creating a new Project

1. To begin, a new project must be created in your Google Developers Console. Go to https://console.developers.google.com and login with a Google Account that has permission to manage users in the Google directory. From the Dashboard create a new project and assign a name that you will be able to identify for Access Manager. Click Create.

 

2. Select the new project from the dropdown at the top of the screen. You should now be looking at the Dashboard.

 

Under the left hand menu, click Library, then locate the Admin SDK library, which should be visible in the G Suite section.

 

Click Admin SDK, then Enable.

 

 

3. Next go to Credentials on the left menu, then click the link for Credentials in APIs & Services.

 

From the Create Credentials drop down select OAuth client ID.

 

4. You may need go into the Consent page options and set a name before you can select an Application type, you will be informed of this if required. If so, click on Configure consent screen.

 

Set an Application Name of your choice.

 

Whilst on this page, scroll down and set a value of Authorized Domains. This needs to match the hostname of your Access Manager server or the top level domain of your host. Click Save.

 

Once this is complete, you should be at the Create OAuth client ID screen. Select Web Application.

 

5. New options will become available. First set a Name, next under the Restrictions section you need to provide addresses.

For Authorised JavaScript origins add two addresses (Note: Press tab or click outside the text box to add the URL, don't press enter as it will premeturely create the config).
    https://localhost
    https://AccessManagerURL

Replace AccessManagerURL with the address used by your users to connect to Access Manager.

 

Now in Authorised redirect URIs enter the same addresses with /completeWebAuth.html included in the path
    https://localhost/completeWebAuth.html
    https://AccessManagerURL/completeWebAuth.html

Now select Create to complete the account creation.

 

6. Take note of the Client ID and Client Secret that are provided, you will need these later and this is the only time you will be shown the secret.

Be careful when copying these as they have a tendency to add a space at the end when you copy, which you will need to remove before entering into Access Manager.

 

7. Now you will need to create a Service Account. From the Create Credentials drop down, this time select Service Account Key.

 

8. In the account creation set Service Account to New Service Account, give it a name, and set the Key Type to JSON. You can leave the Role section as Select a role.

 

Select Create to continue. On the Service account has no role popup, click Create without role.

The page will prompt you to download the JSON file, so save that, then click Close on the popup. The full text of this file will be required later.

 

 

9. Select the Manage Service Accounts link above the Service Account keys section.

 

On the far right of the new page click the three vertical dots menu for the service account. From here select Edit.

 

Expand the Show Domain-Wide Delegation section and tick Enable G Suite Domain-wide Delegation option then click Save.

 

10. Now select the View Client ID for the service account.

 

Make a note of the Client ID of the service account. Note that this is different than the Client ID we already noted, here it is the Service Account ID, which we will need for the last part of the Google admin configuration.

 

Click Cancel or Save to get back to the Credentials page.

Note that this same Service Account Client ID is visible from this same page, note how it differs from the Web application Client ID which we created earlier.

 

11. You will now have all the details you require for configuring the the Google Apps Connector in Access Manager, but there is one last setting in Google that needs to be configure.

 

Configure Google Security Settings

Go to your Google Apps Admin Console at https://admin.google.com/AdminHome and login with your Google admin account.

Select the Security option.

 

In the Security page click API Reference. 

 

 

Tick the Enable API Access option.

 

Then scroll down to Advanced Settings and click it, select Manage API Client Access.

 

In the Manage API Client Access page we will register a new client access configuration.

For the Client name use the Service Account Client ID that we noted earlier (this was the second Client ID we noted and is the one containing just numbers rather than a hostname).

 

For the One or More API Scopes field you can copy and paste the following entries:

https://www.googleapis.com/auth/admin.directory.group,https://www.googleapis.com/auth/admin.directory.group.member,https://www.googleapis.com/auth/admin.directory.orgunit,https://www.googleapis.com/auth/admin.directory.user,https://www.googleapis.com/auth/admin.directory.user.alias

 

Click Authorize. This completes the steps for Google Apps configuration, in Access Manager we are now ready to create the Google Apps Directory.

 

 

Configuring Google Apps Directory in Access Manager

In Access Manager the Google Apps databases are not automatically detected, when creating the directory you will need to select the Manually Configure option then select the Google Apps directory option.

On the Configure Directory page provide a directory name. Each option in the configuration will now require the appropriate entry that was collected earlier:

 

Admin Email: This is the email address of the user that created the new project in Google.
Customer Domain: The domain of the Google user database that is going to be managed.
Service Account Json: The full text from the JSON key file that was provided for the service account.
OAuth2 Client ID: The Client ID of the OAuth account that was first created.
OAuth2 Secret ID: The Client Secret generated for the OAuth account.

Once all details are configured select Next to continue.

 

Access Manager will now attempt a connection to test everything is okay. If it is, we get a successful message.

 

Click Close, then Finish to create the connection. A sychronize should then run, after which you can click Close one last time.

Your directory is now configured and ready for use.