This guide describes how to configure Google Apps for use with Cloud Access Manager provisioning.
Ensure that the following prerequisites are met before configuring Google Apps provisioning in Cloud Access Manager.
You will need:
- Access to the Google Developer Console, this is available to anyone with a Google account.
- A Google Apps domain.
Create a Google service account
To create a Google service account
- Go to the Google Developers Console (https://console.developers.google.com) and log in if required.
- Create a new project named CAM Prov.
- Select Google APIs, and then under Google Apps APIs, click Admin SDK and then Enable.
- Select Go to Credentials, then click service account.
- Click Create Credentials, select Service account key and save your downloaded JSON file. You will need this when you configure Cloud Access Manager.
- In Service accounts, click Edit on your Service account name.
In Edit service account, select Enable Google Apps Domain-Wide Delegation and then Save.
NOTE: Domain-wide delegation needs to be enabled for the Service Account before the Client Id is accepted in the Authorized API Clients list within the Google Apps Business site.
- Select your Service Account and then click View Client ID, copy the Client ID, you will need this to grant access to your Google Apps domain.
Configuring access to the domain
To configure access to the domain
- Go to the Admin console for your Google Apps domain.
- Select Security.
- If Advanced settings is not displayed, click Show more and then click Advanced Settings.
- Under Authentication click Manage API client access.
- Paste the Client ID from the Service Account into the Client Name textbox.
- In the One or More API Scopes textbox enter https://www.googleapis.com/auth/admin.directory.user and then click Authorize.