Connecting to Google Apps

EmpowerID includes a Google Apps connector that can be used for adding Google Apps to the EmpowerID Identity Warehouse as a managed account store. This allows EmpowerID to update your Google Apps, creating, editing, and deleting users and groups, as well as provides the basis for setting up seamless SSO access to those accounts from EmpowerID.

Prerequisites: In order to connect EmpowerID to Google Apps, the following prerequisites must be met in Google:
  1. Your organization must have a Google Apps account.
  2. The Google Apps account needs to have a service account with the Super User role that EmpowerID can use as a proxy to manage Google Apps on your behalf. This account should be created specifically for EmpowerID and should not belong to an individual end user.
  3. You must create an EmpowerID project for your Google Apps in the Google Developers Console. You access the console at https://console.developers.google.com/project.
  4. After creating the EmpowerID project, you must enable the Admin SDK for it. Doing so allows EmpowerID to view and manage your Google resources, such as users and groups.
  5. You must have Google create and download to your machine credentials for the EmpowerID service account as a P12 key type file. EmpowerID needs the private key to receive an access token from Google. Later, when configuring EmpowerID for Google, you will import this certificate to the Personal and Trusted Root Certification Authorities Certificate stores on the EmpowerID server, as well as add it to certificate store within EmpowerID itself.
  6. Once Google creates the credentials, click the Email address link for the service account.

    This opens the Service Account page where you can view the Client ID, Email address and Certificate fingerprints generated by Google. Be sure to take note of these as you will need to use them when configuring EmpowerID to connect to your Google Apps.

  7. You must delegate global authority to the service account you created for EmpowerID, specifying the needed API scopes. (You do this from the Security section of the Google Apps Admin Console.)
  8. For EmpowerID, this global access is scoped to your Google Apps users and groups and includes the following Google APIs:

    • https://www.googleapis.com/auth/admin.directory.group - Global scope for access to all group operations, including group aliases and members.
    • https://www.googleapis.com/auth/admin.directory.group.readonly - Scope for retrieving group, group alias, and member information.
    • https://www.googleapis.com/auth/admin.directory.user - Global scope for access to all user and user alias operations.
    • https://www.googleapis.com/auth/admin.directory.user.readonly - Scope for only retrieving users or user aliases.
For help on setting up your Google Apps account, see Google's help topics on the subject. Some links you may find useful include the following:

Managing projects in the Developers Console:

Using OAuth 2.0 for Server to Server Applications, including delegating global authority to the service account:

Directory API scope:

This topic demonstrates how to create a Google Apps connector in EmpowerID and is divided into the following activities:

To import the Service Account Certificate to the EmpowerID Server Certificate Stores

  1. From MMC on the EmpowerID server, add the Certificates snap-in for the local computer.
  2. Expand the Certificates node, right-click Personal, point to All Tasks and click Import.
  3. In the Certificate Import Wizard that appears, click Next.
  4. Click Browse and locate the Service Account certificate Google created for you.
  5. In the Open window that appears, select your certificate and click Open.
  6. Back in the Certificate Import Wizard, click Next.
  7. Enter the password for the private key, mark the certificate as exportable, and then click Next. If you do not make the certificate exportable, an error will occur when adding it to the EmpowerID certificate store.
  8. Click Next again.
  9. Click Finish.
  10. Locate the Service Account certificate in the Personal store and copy it.
  11. Paste the Service Account certificate you just copied from the Personal store in to the Trusted Root Certification Authorities certificate store.

To add the Service Account Certificate to EmpowerID

  1. Log in to the EmpowerID Management Console as an administrative user.
  2. From the EmpowerID Management Console, click the EmpowerID icon and select Configuration Manager from the application menu.
  3. In Configuration Manager, expand the EmpowerID Servers and Role node in the application navigation tree and then click the Manage Certificates node.
  4. Click the Add New button located above the Certificates grid and select From Local Store from the context menu.
  5. In the Windows Security dialog that appears, select the Service Account certificate and then click OK.
  6. Click Yes to indicate the certificate requires a password.
  7. Type the password in the Password field and then click OK.

To create the Google Apps Connector in EmpowerID

  1. In Configuration Manager, expand the User Directories node in the navigation tree, and then click Account Stores.
  2. Click the Add New button located above the Account Stores grid.
  3. In the Add New Security Boundary window that opens, select Google Apps from the Security Boundary Type drop-down list and then click OK.
  4. In the Add Google Connection window that appears, do the following:
    1. Type the name of your Google Apps domain name in the Domain field.
    2. Type the username of the service account you created in Google Apps for EmpowerID in the Username field.
    3. Type the password for the EmpowerID service account in the Password and Confirm Password fields.
    4. In the OAuth Service Account (SA) Email field, type the email address Google created when it generated the P12 certificate linking the EmpowerID service account to the EmpowerID project.
    5. In the OAuth SA Certificate Thumbprint field, type the certificate fingerprint of the P12 certificate Google that generated to link the EmpowerID service account to the EmpowerID project.
    If the values entered in the Add Google Connection window are incorrect, EmpowerID will not be able to authenticate to Google and the connection will fail.

  5. Click OK to close the Add Google Connection window.
  6. This creates the Google Apps connection and opens the Account Store Details screen for the Google Apps account store. This screen contains settings for configuring how EmpowerID manages the Google Apps account store.

    Before configuring EmpowerID to manage the account store, you should determine whether or not you want EmpowerID to provision Person objects from the user records it discovers in the account store. If so, then you should be able to answer the following questions before turning on inventory.
    1. When do you want EmpowerID to provision Person objects for those user accounts? At inventory or at a later point in time?
    2. If inventory provisioning is desired, in what Business Role and Location should those Person objects be placed?
    3. How many user accounts can one Person have in the account store?
    4. If people can have more that one user account in the account store, do you want EmpowerID to attempt to automatically join any user accounts meeting the conditions of your Join rules to an existing Person during inventory?
    5. Do you want attribute flow to occur between EmpowerID and the account store? If so, what rules do you want to apply?

    For a greater discussion of these points within the context of connecting EmpowerID to an account store, see Connecting EmpowerID to Active Directory.

  7. From the General pane of the Google Apps Account Store Details screen, enable each desired feature by toggling the icon to the right of each feature from a red sphere to a green check box. For example, if you wish to allow password synchronization to occur between EmpowerID and Google, toggle the red sphere to the right of Allow Password Sync to a green check box.
  8. In the Inventory pane of the Account Store Details screen for the Google Apps account store, toggle the icon to the right of the Allow Automatic Person Provision On Inventory setting from a red sphere to a green check box. This instructs EmpowerID to create a linked EmpowerID Person object for each new, unique Google account discovered during the inventory process.
  9. In the Inventory pane of the Account Store Details screen for the Google Apps account store, click the Edit button to the right of Business Role for New Inventory Provision and select an appropriate Business Role for each new Person provisioned during the inventory of your Google Apps domain from the Business Role Selector that appears.
  10. Click OK to close the Business Role Selector.
  11. Back in the Inventory pane of the Account Store Details screen for the Google Apps account store, click the Edit button to the right of Location For New Inventory Provision and select an appropriate Location for each Person EmpowerID provisions during the inventory of your Google Apps domain from the Location Selector that appears.
  12. Click OK to close the Location Selector.
  13. Navigate to the main screen of Configuration Manager and click the Attribute Flow Rules node underneath User Directories.
  14. Select the Google Apps domain from the Account Stores drop-down located above the Attribute Flow Rules editor. You should see all Attribute Flow Rules set to allow no attribute flow. (Indicated by the red sphere.)
  15. From the Attribute Flow Rules editor, toggle each Attribute Flow Rule to achieve the desired rules. When selecting the rules you have the following options for each attribute:

    • No Sync - When this option is selected, no information flows between EmpowerID and Google.
    • Bidirectional Flow - When this option is selected, changes made within EmpowerID update Google and vice-versa.
    • Account Store Changes Only - When this option is selected, changes can only be made to the selected attribute(s) in Google and passed to EmpowerID.
    • EmpowerID Changes Only - When this option is selected, changes can only be made to the selected attribute(s) in EmpowerID and are then passed to Google.

    In our example, we have set the Attribute Flow Rules to bidirectional for all attributes except the Company, Email, and EmployeeID attributes, which we have set to flow from Google to EmpowerID. In this way, the state of those three attributes can only be changed in Google Apps, while all others can be changed in both Google Apps and EmpowerID.

  16. Return to the Account Store Details screen for the Google Apps domain.
  17. From the Inventory pane of the Account Store Details screen for the Google Apps account store, click the red sphere to the left of Enable Inventory so that the red sphere becomes a green check box. This allows EmpowerID to inventory your Google Apps and create the appropriate user accounts and Person objects in EmpowerID.
  18. After several minutes, refresh the Account Store data by pressing the Refresh Data button located a the top of the Account Store Details screen. You should see that EmpowerID has inventoried the accounts and groups (where appropriate) in your Google Apps domain and provisioned the requisite number of EmpowerID Persons for those accounts.