/
Google Apps

Google Apps

Before connecting EmpowerID to an external directory, please review the Getting Started with Directory Systems topic. The topic walks you through the prerequisites you need to complete before connecting to an external directory for the first time. These prerequisites include:

  • Configuring the appropriate server roles for your EmpowerID servers
  • Reviewing the Join and Provision Rules for your environment
  • Reviewing the Join and Provision Filters for your environment

If you have already connected EmpowerID to another external directory, you can skip these prerequisites.

EmpowerID includes a Google Apps connector that can be used for adding Google Apps to the EmpowerID Identity Warehouse as a managed account store. This allows EmpowerID to update your Google Apps, creating, editing, and deleting users and groups, as well as provides the basis for setting up seamless SSO access to those accounts from EmpowerID.


Prerequisites

In order to connect EmpowerID to Google Apps, the following prerequisites must be met in Google:

  1. Your organization must have a Google Apps account.
  2. The Google Apps account needs to have a service account with the Super User role that EmpowerID can use as a proxy to manage Google Apps on your behalf. This account should be created specifically for EmpowerID and should not belong to an individual end user.
  3. You must create an EmpowerID project for your Google Apps in the Google Developers Console. You access the console at https://console.developers.google.com/project.
  4. After creating the EmpowerID project, you must enable the Admin SDK for it. Doing so allows EmpowerID to view and manage your Google resources, such as users and groups.
  5. You must have Google create and download to your machine credentials for the EmpowerID service account as a P12 key type file. EmpowerID needs the private key to receive an access token from Google. Later, when configuring EmpowerID for Google, you will import this certificate to the Personal and Trusted Root Certification Authorities Certificate stores on the EmpowerID server, as well as add it to certificate store within EmpowerID itself.

    Once Google creates the credentials, click the Email address link for the service account.


    This opens the Service Account page where you can view the Client ID, Email address and Certificate fingerprints generated by Google. Be sure to take note of these as you will need to use them when configuring EmpowerID to connect to your Google Apps.

  6. You must delegate global authority to the service account you created for EmpowerID, specifying the needed API scopes. (You do this from the Securitysection of the Google Apps Admin Console.)


    For EmpowerID, this global access is scoped to your Google Apps users and groups and includes the following Google APIs:

For help on setting up your Google Apps account, see Google's help topics on the subject. Some links you may find useful include the following:

Managing projects in the Developers Console:


Using OAuth 2.0 for Server to Server Applications, including delegating global authority to the service account:


Directory API scope:

After ensuring you have met the above prerequisites as well as those specified in the Getting Started with Directory Systems topic, you connect EmpowerID to Google Apps by doing the following:

  1. Importing the Service Account Certificate to the EmpowerID Server Certificate stores.
  2. Adding the Service Account Certificate to the EmpowerID Identity Warehouse
  3. Creating an account store in EmpowerID for Google Apps.
  4. Configuring EmpowerID settings for the account store connection, including whether to provision EmpowerID Persons during inventory or in batches using the Account Inbox permanent workflow (recommended).
  5. Reviewing and configuring the attribute flow rules for the account store.
  6. Turning on inventory.
  7. Enabling the Account Inbox Permanent Workflow when ready—if you are using batch processing to provision Person objects from the inventoried user accounts. This is the recommended method.
  8. Monitoring Inventory.

To import the Service Account Certificate to the EmpowerID Server Certificate Stores

  1. From MMC on the EmpowerID server, add the Certificates snap-in for the local computer.
  2. Expand the Certificates node, right-click Personal, point to All Tasks and click Import.
  3. In the Certificate Import Wizard that appears, click Next.
  4. Click Browse and locate the Service Account certificate Google created for you.
  5. In the Open window that appears, select your certificate and click Open.
  6. Back in the Certificate Import Wizard, click Next.
  7. Enter the password for the private key, mark the certificate as exportable, and then click Next. If you do not make the certificate exportable, an error will occur when adding it to the EmpowerID certificate store.
  8. Click Next again.
  9. Click Finish.
  10. Locate the Service Account certificate in the Personal store and copy it.
  11. Paste the Service Account certificate you just copied from the Personal store in to the Trusted Root Certification Authorities certificate store.

To add the Service Account Certificate to EmpowerID

  1. Open the EmpowerID Certificate Manager. In a default installation of EmpowerID, the path to the executable is located at "C:\Program Files\TheDotNetFactory\EmpowerID\Programs\EmpowerID.CertificateManager.exe".
  2. From the Import tab of the EmpowerID Certificate Manager, select the appropriate method for importing the certificate and follow the dialogs for that method. For example, if you are importing a certificate from file, select Upload from Certificate File and then browse for the file.



  3. Enter a password for the certificate and click Ok.



To create an Account Store for Google Apps Connector

  1. Log in to the EmpowerID Management Console as an administrator.
  2. Click the application icon and select Configuration Manager from the menu.
  3. In Configuration Manager, select the Account Stores node and then click the Add New button above the grid.