/wiki/spaces/E2D/pages/29982926 / Installation and Configuration / Connecting to Directory Systems / Current: Connecting to Google Apps |
|
EmpowerID includes a Google Apps connector that can be used for adding Google Apps to the EmpowerID Identity Warehouse as a managed account store. This allows EmpowerID to update your Google Apps, creating, editing, and deleting users and groups, as well as provides the basis for setting up seamless SSO access to those accounts from EmpowerID.
In order to connect EmpowerID to Google Apps, the following prerequisites must be met in Google:
|
For help on setting up your Google Apps account, see Google's help topics on the subject. Some links you may find useful include the following: Managing projects in the Developers Console: Using OAuth 2.0 for Server to Server Applications, including delegating global authority to the service account: Directory API scope: |
After ensuring you have met the above prerequisites as well as those specified in the Getting Started with Directory Systems topic, you connect EmpowerID to Google Apps by doing the following:
C:\Program Files\TheDotNetFactory\EmpowerID\Programs\EmpowerID.CertificateManager.exe".
In the OAuth SA Certificate Thumbprint field, type the certificate fingerprint of the P12 certificate Google that generated to link the EmpowerID service account to the EmpowerID project.
If the values entered in the Add Google Connection window are incorrect, EmpowerID will not be able to authenticate to Google and the connection will fail. |
From the Inventory pane of the Account Store Details screen, do the following:
EmpowerID recommends using the Account Inbox to provision Person objects from user accounts. The below information is included to make you aware of the option to provision during inventory. |
Toggle Allow Automatic Person Provision On Inventory to reflect your policy for the account store (red sphere for disable and green checkbox for enable). When enabled (and Allow Person Provisioning is enabled for the account store), EmpowerID will provision Person objects for all new accounts discovered during inventory in real-time, if they meet the conditions of your Provision rules.
|
The last action to perform on this screen is to enable inventory. However, before doing so, it is important to configure the attribute flow rules for the account store and to enable the Account Inbox if batch processing of those accounts is desired.
|
Open a browser and log in to the EmpowerID Web application.
From the Attribute Flow Rules page, click the Advanced Search drop-down button, enter the name of the account store for which you want to configure the flow rules and then click Search to filter the rules shown in the grid.
The attributes from the EmpowerID Person object are displayed in the left column with the corresponding attributes from the account store displayed in the right column. |
To change the flow for an attribute, click the Attribute Flow drop-down located between the Person Attribute column and the External Directory Attribute column, and select the desired flow direction from the context menu.
To change the score for any of the available CRUD operations (Create, Update and Delete), enter the new score in the appropriate field. By default, scores are weighted evenly, which means that a change to an attribute originating in one connected external directory has the same authority as a change to an attribute occurring in another connected external directory.
EmpowerID only considers scores for attribute CRUD operations when multiple account stores with the same user records are connected to EmpowerID, such as would be the case if an HR System and Google Apps were being inventoried by EmpowerID. |
Return to the Account Store Details screen in Configuration Manager.
Look over your settings one last time and when satisfied, turn on inventory by toggling the Enable Inventory button from a red sphere to a green check box.
If you are using the Account Inbox to provision or join the user accounts in Google to Empower Persons, you need to turn on the Account Inbox. This is demonstrated in the below section.
|
|