Google Apps Connector

Transcription

1 Google Apps Connector Version 3.1 User Guide

2 Copyright 1 Copyright 2017 Ping Identity Corporation. All rights reserved. PingFederate Google Apps Connector User Guide Version 3.1 December, 2017 Ping Identity Corporation th Street, Suite 100 Denver, CO U.S.A. Trademark Ping Identity, the Ping Identity logo, PingAccess, PingFederate, PingID, and PingOne are registered trademarks of Ping Identity Corporation ( Ping Identity ). All other trademarks or registered trademarks are the property of their respective owners. Disclaimer The information provided in this document is provided as is without warranty of any kind. Ping Identity disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Ping Identity or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Ping Identity or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Document lifetime Ping Identity may occasionally update online documentation between releases of the related software. Consequently, if this PDF was not downloaded recently, it may not contain the most up-to-date information. Please refer to the online documentation at docs.pingidentity.com for the most current information. From the web site, you may also download and refresh this PDF if it has been updated, as indicated by a change on this date: December 18, 2017.

3 Contents 2 Contents PingFederate Google Apps Connector Guide System requirements...3 Supported features... 3 Installation and configuration...3 Get required information... 3 Obtain an application name,client ID and secret... 4 Generate authorized OAuth 2.0 tokens... 5 Synchronize existing users to groups...6 Upgrade existing Google apps connectors...7 Install the Google Apps connector...8 Configure server settings...8 Configure a connection...8 Complete setup of SAML SSO to Google Apps...11 Provisioning groups to Google Apps...12 Create groups Update groups Delete groups Map users to groups Attribute index The Password Manager IdP Adapter Setup...17 SP Adapter Setup...17 IdP - SP Adapter Mapping...17 Deploying the Application...18 Configure and Deploy the Password Manager Access the Password Manager Release notes...20 Change list by version...20 Qualification statement ZIP manifest...21

4 PingFederate Google Apps Connector Guide PingFederate Google Apps Connector Guide 3.1 The Google Apps Connector extends PingFederate capabilities, enabling enterprises to provision its users to Google Apps. This connector includes a quick-connection template to easily set up a Single Sign-On (SSO) connection and provisioning to Google Apps. The Google Apps Connector makes use of Google s Admin SDK. The Google Apps Connector also includes a separate Password Manager application that can be used in cases where SSO users might need to reset Google Apps passwords (see The Password Manager on page 17). This document assumes you have read the Introduction section of the SaaS Quick Connection Guide. System requirements on page 3 Supported features on page 3 Installation and configuration on page 3 Attribute index on page 14 System requirements TThe Google Apps Connector requires installation of PingFederate 7.3 or higher. The Google Apps Connector may require the following endpoints to be whitelisted on the firewall to allow outbound connections: Supported features Outbound User Provisioning Outbound Group Provisioning Ability to Add Users to Groups Browser-based SP-initiated SSO Installation and configuration The following sections explain how to obtain the necessary information required for installing and configuring this SaaS Connector. Please follow these sections completely and in order. Note: If you are upgrading from a previous version please refer to: Upgrade the Google Apps Connector. Get required information on page 3 Upgrade the Google Apps Connector Install the Google Apps Connector Configure server settings on page 8 Configure a connection on page 8 Complete setup of SAML SSO to Google Apps on page 11 Get required information Before you can configure this Connector, you will need to complete the following steps.

5 PingFederate Google Apps Connector Guide Tip: Some of the following steps result in information to be used at a later time in this User Guide. It is recommended that you copy this information to a secure location to reference in later steps. Obtain an application name,client ID and secret on page 4 Generate authorized OAuth 2.0 tokens on page 5 Obtain an application name,client ID and secret The Google Apps Connectors Outbound Provisioning functionality is built using Google s Admin SDK, which requires an OAuth 2.0 access token for authentication. To obtain the access token, you will need to first obtain your Application Name, Client ID and Secret from Google Apps. Important: The Google Apps Connector uses APIs provided by Google, which are subject to Google s Terms of Service described in their online documentation for the Admin SDK here ( developers.google.com/admin-sdk/terms). Note: API Access will need to be enabled on the Google domain in order to use the Google Apps Connector for Outbound Provisioning. For information on how to enable API Access for a Google domain, see Google s online documentation here. 1. Access the Google Developers Console ( with a Super Administrator Google account. For information on the Google Developers Console, see Google s online documentation here. Note: To use the Developers Console, the Google App Engine Admin Console service will need to be enabled on your Google domain. For more information on enabling services for a Google domain, see Google s online documentation here. 2. Create a new project (if you don t already have one). For information on creating projects in the Google Developers Console, see Google s online documentation here. 3. Set the APIs for your project: Ensure the Admin SDK is turned ON for your project. For information on activating APIs in the Google Developers Console, see Google s online documentation here. 4. Configure the Consent Screen for your project. Tip: The Consent Screen is the screen admins will see when obtaining their Access and Refresh tokens in another step. 1. Set the Product Name and make note of this value as it is required for the APPLICATION_NAME. 2. Set the other fields as required by your organization. 5. Generate Credentials for your project by doing the following: 1. Create a new OAuth 2.0 Client ID for a Web Application type application. 2. Set the Authorized Redirect URI field to:

6 PingFederate Google Apps Connector Guide Finish by saving or creating the Client ID. 7. Make note of the Client ID and Client Secret that you just created. Generate authorized OAuth 2.0 tokens 1. Visit Ping Identity s OAuth Configuration Service (OCS) here. ( oasrequestform) 2. Select the Google Apps Connector from the drop down menu. 3. Enter the Client ID and Client Secret that you generated in the Obtain an application name,client ID and secret on page 4 section of this guide.

7 PingFederate Google Apps Connector Guide Click Connect to proceed. This generates an OAuth 2.0 authorization token and redirects you to Google for authorization. 5. Log on to Google with a Super Administrator account. Note: If you are already signed in to Google Apps, you will not be asked to log in again. Please be sure that the account you are signed in under is an administrative account. 6. On successful login, you are redirected to Google s OAuth authorization screen, where you ll be asked to grant access to the scopes that the Google Apps Connector uses to make requests to the Google Admin SDK. 7. Once you grant access on the OAuth authorization screen, you will be redirected to the OCS and presented with an authorized Access Token and Refresh Token to use when configuring the Google Apps Connector. Warning: Only one Refresh Token will be generated per Client ID; so it is important to make note of the Refresh Token presented by the OCS in the final step. Warning: If another Refresh Token is required, you will need to obtain a new Client ID and Secret and to use with the OCS again. 8. Copy the Access Token and Refresh Token to use when configuring the Google Apps Connector. Synchronize existing users to groups If your Google Apps account already has Users or Groups you wish to provision with the Google Apps connector, this is possible by following these steps below. To provision existing User accounts on Google Apps: Ensure that the value mapped to the attribute, (when configuring the connector) matches the existing Google Apps Users exactly as it appears in Google Apps.

8 PingFederate Google Apps Connector Guide For example, if on the Attribute Mapping screen, the User attribute is mapped to the User mail attribute in your LDAP, this will synchronize a User that already exists on Google Apps with an of jsmith@domain.com to the User in your LDAP who has a mail attribute value of jsmith@domain.com. When the Google Apps connector provisions for the first time, this address will be used to synchronize the User in your LDAP data store with the User in Google Apps. To provision existing Groups on Google Apps: LDAP Groups will be synched with existing Groups on Google Apps that have the same name and address. For example, if a group in LDAP is named Accounting and is targeted for provisioning, if a group named Accounting already exists in Google Apps, the two will be synchronized. Any users that are members of the Accounting group in LDAP that have been provisioned by the connector will become members of the Accounting group in Google Apps. Likewise, any users that are members of the Accounting group in Google Apps but are not members of the Accounting group in LDAP will be removed from that group in Google Apps. Upgrade existing Google apps connectors 1. Before stopping the PingFederate server to upgrade the Google Apps Connector, access the Attribute Mapping screen for existing channel configurations and note the current configuration. Warning: The upgrade process may remove existing mappings and defaults on the Attribute Mapping screen. These may need to be reconfigured again before activating the channel configuration. 2. Disable the existing SP Connection where the Google Apps Connector is configured. 3. Delete the existing Google Apps Connector SP Connection and save. 4. Stop the PingFederate server if it is running. 5. Unzip the Google Apps Connector distribution ZIP file into a holding directory. 6. Remove any versions of pf-google-quickconnection-x.x.jar from this directory: <pf_install>/pingfederate/server/default/deploy 7. Also remove the following files from the same directory if they are present: prov-google-x.x.x.jar prov-cpl-x.x.x.jar pf-google-oauth-helper.war as well as these Google Admin SDK libraries: google-api-client-x.x.x-rc.jar google-api-services-admin-directory-directory_v1-rev-x.x.x-rc.jar google-http-client-x.x.x-rc.jar google-http-client-jackson2-x.x.x-rc.jar google-oauth-client-x.x.x-rc.jar google-oauth-client-jetty-x.x.x-rc.jar jackson-core-x.x.x.jar 8. From the dist directory of the new version of the connector, copy this file: pf-google-quickconnection-3.1.jar into this directory: <pf_install>/pingfederate/server/default/deploy 9. Start the PingFederate server. 10. Create a new SP Connection, using Google Apps as the Connection Template. 11. Follow the instructions in Configure a Connection to configure Metadata, and OAuth

9 PingFederate Google Apps Connector Guide Access the Attribute Mapping for existing channel configurations and click Refresh Fields. 13. Ensure all new required fields (if any), are mapped appropriately or have a default value. 14. Once completed with the attribute configuration, click Done, Done, and Save. 15. Activate the SP Connection to resume Outbound Provisioning. Install the Google Apps connector To install the Google Apps Connector, please follow the instructions in the Install the Connector section of the SaaS Connector User Guide. Note: Do not delete any versions of the Common Provisioning Layer (prov-cpl-x.x.x.jar) from the deploy folder that are required for other SaaS Connectors. Configure server settings To configure Server Settings in preparation of configuring the Google Apps Connector, please follow the instructions in the Configure Server Settings section of the SaaS Quick Connection Guide) Configure a connection Important: This section directs you to the SaaS Connector User Guide for most of the steps to configure this Connector but contains additional steps that need to be followed to successfully configure this Connector. Ensure you follow the additional steps below as directed. 1. Follow the instructions under the Obtain an application name,client ID and secret on page 4 section of this guide to obtain values used later in this section. 2. Follow the instructions under the Generate authorized OAuth 2.0 tokens on page 5 section of this guide to obtain the Access Token and Refresh Token you will use later in this section. 3. To Configure a Connection using the Google Apps Connector, please follow the instructions in the Configure a Connection section of the SaaS Quick Connection Guide, making the adjustments listed below. Additional Steps On the Connection Template screen, select Google Apps Connector as the Connection Template to use for this SP Connection. Enter the Google Domain used by your organization for SSO access to Google Apps. Note: Enter only the domain (example: pingidentity.com). PingFederate uses this to configure and qualify all the necessary endpoints and other settings in the connection configuration. The name must be registered with Google Apps as a partner domain. If your Google Apps administrative implementation supports more than one domain, select the USE A DOMAIN SPECIFIC ISSUER checkbox under the Google Domain. Checking this box allows you to configure additional SP connections for other domains at your site registered with Google Apps. Important: Ensure that the correspondinguse A DOMAIN SPECIFIC ISSUER checkbox in your Google Apps SSO administrative setup is also checked. Do not select this option if the Google Domain entered is the only applicable domain.

10 PingFederate Google Apps Connector Guide On the General Info screen, if you are using the domain-specific issuer feature and this is the second (or greater) connection to Google Apps, change the Connection Name. (SSO Configuration) On the SAML Profiles screen, ensure that the SP-Initiated SSO profile is selected and click Next.

11 PingFederate Google Apps Connector Guide (SSO Configuration) On the Allowable SAML Bindings screen, ensure that the Redirect profile is selected (deselect Artifact, Post and SOAP) and click Next. (SSO Configuration) On the Signature Policy screen, ensure that the Always sign the SAML Assertion is selected and click Next. On the Target screen when configuring provisioning, fill in the following fields: Table 1: Field name Application Name Domain Client Id Client Secret OAuth Access Token Value The Application Name for the application created in Google Apps. For more information on obtaining an application name, client Id and secret, see Obtain an application name,client ID and secret on page 4 The Domain for the Google Apps account. The Client Id for the application created in Google Apps. For more information on obtaining an application name, client Id and secret, see Obtain an application name,client ID and secret on page 4 The Client Secret generated during application creation for Google Apps. The OAuth Access Token generated by the OAuth Configuration Service. For more information on obtaining authorized OAuth tokens, see the Generate authorized OAuth 2.0 tokens on page 5

12 PingFederate Google Apps Connector Guide Field name OAuth Refresh Token Remove User Action User Create Enabled User Update Enabled Value The OAuth Refresh Token generated by the OAuth Configuration Service. Suspend (default) - When selected, if you delete a user from Active Directory, the user will be suspended in Google Apps (also known as a Soft-Delete). Delete - When selected, if you delete a user from Active Directory, the user will be deleted in Google Apps (also known as a Hard-Delete). True (default) Enables the ability to create users in Google Apps via PingFederate. False - When disabled, the ability to create users in Google Apps will be disabled. True (default) Enables the ability to update users in Google Apps via PingFederate. False - When disabled, the ability to update users in Google Apps will be disabled. Complete setup of SAML SSO to Google Apps In order to setup your Google Apps account for SSO you will need to do the following. Note: This section requires the exported certificate used to sign the SAML assertion (configured in step 15 of Configure a Connection in the SaaS Quick Connection Guide). 1. Navigate to and sign in with your Administrator credentials.

13 PingFederate Google Apps Connector Guide Navigate to Security to view the Set up single sign-on (SSO) section. 3. Select Setup SSO with third party identity provider. 4. Enter the PingFederate SSO SAML endpoint into the Sign-in page URL field (optional) Enter the PingFederate SLO SAML endpoint into the Sign-out page URL field (optional) Enter the Password Manager URL into the Change password URL field. http[s]://<pf_host>:<port>/pf/adapter2adapter.ping? TargetResource=http[s]://<g_apps_pm_host>:<port>/gappspassword-manager/ResetPassword 7. Upload the signing certificate exported from PingFederate into the Verification certificate field. 8. Select Use a domain specific issuer if applicable. 9. Click Save to complete Google Apps SSO Setup. Note: More information on Google Apps SSO Setup can be found here. Provisioning groups to Google Apps The Connector enables an organization to provision and manage groups in Google Apps. Tip: For instructions on synching the connector with existing Google Apps groups, please refer to Synchronize existing users to groups on page 6. Create groups on page 13 Update groups on page 13 Delete groups on page 13

14 PingFederate Google Apps Connector Guide Create groups To create a group in Google, an address must be specified for the group. The Google Apps Connector uses the name of the group to be provisioned in LDAP and the domain provided in the target screen to generate an for that group on Google. To generate the group , the Google Apps Connector uses the group name such as: Example Group The Connector removes any illegal characters from the group name, appends the Google Domain value (entered in step 25 of the Configuring an SP Connection section) and lowercases the final result to make a valid address such as: examplegroup@domain.com mailto:examplegroup@domain.com Update groups Note: Valid characters include alpha-numeric values, periods (.), apostrophes ( ), dashes (-) and underscores (_) The Google Apps Connector supports the ability to update the group and the group name attributes. Renaming the group from LDAP will update both the group and the group name in Google on the next provisioning cycle. Delete groups Note: When a group is updated, Google will create an alias for the old . The Google Apps Connector supports the ability to delete groups from Google. Deleting a group from LDAP will delete the group in Google on the next provisioning cycle. Note: Group deletes are hard deletes. The group delete does not set the group to be disabled/inactive, the group will be removed from google. Warning: If you are upgrading from a previous version of the Google Apps Connector, please be aware that previous versions of the connector did not provision groups to Google, they only allowed users to be mapped to groups that already existed on your Google domain. The connector will attempt to create a new group for each group it targets. If a group already exists in Google with the same group then the group will be updated otherwise a new group will be created. Security settings will need to be configured for all new groups. Map users to groups The connector supports the ability to manage user s group memberships in Google Apps. A user can be a member of one or more groups. Adding a User to a Group Making a provisioned User a member of a provisioned Group in LDAP will also add that User to that Group in Google Apps. There are two ways to add a user to a group in LDAP: Invoke the user Properties from Active Directory Users and Computers and enter the group name in the Member Of tab. Invoke the group Properties from Active Directory Users and Computers and enter the user name in the Members tab. The user(s) will be added to the group(s) on the next provisioning cycle. Removing a User from a Group

15 PingFederate Google Apps Connector Guide Removing a provisioned User from a provisioned Group in LDAP will remove that User from that Group in Google Apps. Attribute index The following table consists of the list of User attributes that can be mapped from the Attribute Mapping screen when configuring Outbound Provisioning channels. Note: All values are validated by Google and must meet their requirements that they have documented online here. Attribute primary familyname givenname password aliases includeinglobaladdresslist passwordhashfunction orgunitpath Description The user s primary address. This field is required and unique; it cannot be an alias of another user or group. The user s last name. This field is required. The user s first name. This field is required. The user s initial password. If this field is not specified a random plain-text password will be used by default. For this default plain-text password to be used,the passwordhashfunction must be blank. Ensure password value is MD5 hashed if passwordhashfunction is set to MD5. Note: A users password can only be set when provisioning the user for the first time and cannot be managed on subsequent updates. Note: To force a user to update their password, set their changepasswordatnextlogin attribute to true and they will be required to change their password when they log in next. List of user s alias addresses. Note: The maximum number of aliases a user may have is 30. Indicates if the user s profile is visible in the Google Apps global address list when the contact sharing feature is enabled for the domain. Valid values include: true and false Stores the hash format of the password property. It s only needed if the password field is specified. The supported values for this field are: MD5 or nothing (blank). Note: Google recommends sending the password property value as a base 16 bit encoded hash value. The full path of the parent organizational unit associated with the user. To add a user to the root OU, the orgunitpath should be set to a forward slash (/). An example value for placing a user under an organization unit one level below the root, which is the domain and indicated with the forward slash (/), the value would be as follows: /example

16 PingFederate Google Apps Connector Guide Attribute changepasswordatnextlogin ipwhitelisted isadmin orgname orgdept orgsymbol orgcostcenter orgdescription orgdomain orgtitle orglocation addressstreet addresspostalcode addressextended addresscountrycode addresslocality addressregion addresscountry addresspobox workphone Description An example value for placing a user under an organizational unit two levels below the root: /first_level/second_level Indicates if the user is forced to change their password at next login. Valid options include: true and false Indicates if the user s IP address is whitelisted. Valid values include: true and false Indicates a user with super administrative privileges. Valid values include: true and false Note: This field can only be set if a Super Admin account was used when generating the OAuth Access and Refresh Tokens used during the Connection configuration. The name of an organization. Note: Versions and later of the Google Apps Connector supports a single organization on the user. Specifies the users department within the organization, such as sales or engineering. The text string value of the organization. For example, the text symbol for Google is GOOG. The cost center of the user s organization. The description of the organization. The domain the organization belongs to. The user s title within the organization, for example member or engineer. The physical location of the organization. The user s street address, such as 1600 Amphitheatre Parkway. Note: Versions and later of the Google Apps Connector supports a single address on the user. The ZIP or postal code of the address. The extended portion of an address, such as an address that includes a sub-region. The country code of the address. Uses the ISO standard ( The town or city of the address. The abbreviated province or state of the address. The country of the address. The post office box of the address. A human-readable phone number. It may be in any telephone format.

17 PingFederate Google Apps Connector Guide Attribute workpager workfax workmobile primaryphone Description Note: When a value is mapped to this field, a phone is created for the user of type work. A human-readable phone number. It may be in any telephone format. Note: When a value is mapped to this field, a phone is created for the user of type work_pager. A human-readable phone number. It may be in any telephone format. Note: When a value is mapped to this field, a phone is created for the user of type work_fax. A human-readable phone number. It may be in any telephone format. Note: When a value is mapped to this field, a phone is created for the user of type work_mobile. Indicates which phone is the user s primary phone. Only one phone may be marked as the primary phone. Valid values include: work, work_pager, work_mobile and work_fax. When set, the corresponding phone (workphone, workpager, workmobile or workfax) will have its primary field set to true.

18 The Password Manager 17 The Password Manager This Google Apps Connector package includes a separate application, the Google Apps Password Manager that may be configured with PingFederate to allow end users to reset Google passwords. Because users who access Google Apps via SSO do not need Google credentials, they may forget (or never receive) individual passwords. The optional Password Manager is provided for situations in which enterprise users may need to obtain reset passwords to access Google Apps directly or via third-party applications (for example, access to Gmail from a third-party client). The Password Manager is not dependent on the PingFederate SSO connection to Google Apps; it is deployed a standalone application either within PingFederate or in a separate Web container. To use the Password Manager, PingFederate must be configured to act as both an IdP and an SP (see Configuring Server Settings). Then define an instance of the PingFederate OpenToken SP Adapter (if one does not exist), which is used to identify the user via an encrypted security token, based on the user s ID attribute mapped directly to the SP adapter from the IdP authentication adapter. The appendix below provides instructions for installing, configuring, and using the Password Manager. IdP Adapter Setup on page 17 SP Adapter Setup on page 17 IdP - SP Adapter Mapping on page 17 Deploying the Application on page 18 IdP Adapter Setup The IdP adapter instance can be the same one already used for Google Apps SSO, or you may use an instance of any IdP adapter (see Configuring IdP Adapters in the PingFederate Administrator s Manual). No special configuration is required for any IdP adapter to authenticate users for the Password Manager. SP Adapter Setup The Password Manager relies on a PingFederate security token, opentoken, to identify users and ensure that they are authenticated before resetting their Google passwords. To enable token creation, you must create an instance of the SP OpenToken Adapter and export a configuration file, which the Password Manager uses to retrieve and decrypt the token. Refer to Configuring the SP OpenToken Adapter in the PingFederate Administrator s Manual for setup instructions. Note: In the Adapter Instance setup, no Extended Contract is required, and no changes are needed to the default Instance Configuration Advanced Fields but be sure to click download on the Actions screen and Export the properties file to use later (see Deploying the Application on page 18). Tip: On the Instance Configuration screen, under Show Advanced Fields, you may change the default Transport Mode of the opentoken from Query Parameter to Cookie (but not to POST). IdP - SP Adapter Mapping PingFederate provides an IdP-to-SP Adapter Mapping option on the Main Menu for special IdP use cases requiring PingFederate to act also as an SP on behalf of the actual SP partner. This mapping allows authentication credentials to be directly mapped to create an SP authenticated session or security context. In these cases, the special mapping eliminates the need to create complete SP and IdP connections in a loopback configuration for sending SAML messages back and forth to the same PingFederate server.

19 The Password Manager 18 This section provides specific instructions for configuring this mapping to enable the Google Apps Password Manager. (For more information, see IdP-to-SP Adapter Mapping in the PingFederate Administrator s Manual.) 1. Ensure that PingFederate is configured to act as both an IdP and an SP, with applicable adapter instances defined on both sides (see the previous sections). 2. On the PingFederate Main Menu under System Settings, click IdP-to-SP Adapter Mapping. 3. On the Manage Mappings screen, select the Source and Target Instance for the IdP and SP Adapter Instances, respectively. Important: The Target Instance must be for the OpenToken Adapter (see SP Adapter Setup on page 17). 4. Click Add Mapping. 5. On the Data Store screen, click Next. Data-store lookup is not required for this application. 6. On the Adapter Contract Fulfillment screen, for subject, choose Adapter from the Source drop-down list and map the attribute to the subject ID coming from the IdP Adapter. 7. Click Done and then Save on the Manage Mappings screen. Deploying the Application The Password Manager is located in the Google Apps Connector distribution package in the form of an extracted Web archive (WAR). The WAR directory can be installed and deployed either within PingFederate or inside a separate Web servlet container. After the WAR is installed, one configuration file must be modified. An additional SP-adapter configuration file must be added before the application can be deployed (see Configure a connection on page 8). Configure and Deploy the Password Manager on page 18 Access the Password Manager on page 19 Configure and Deploy the Password Manager 1. Copy gapps-password-manager.war from the dist/gapps-password-manager directory to either: <pf_install>/pingfederate/server/default/deploy/ Or: The application-deployment directory in a different Web-servlet container of your choice. 2. In the directory gapps-password-manager.war/web-inf/classes, edit the file gapps-passwordmanager-config.props, to provide valid client id, client secret, and oauth tokens for Google Apps. Follow the instructions in Obtain an application name,client ID and secret on page 4 section of this guide to obtain the client id and secret. Refer to Generate authorized OAuth 2.0 tokens on page 5 for instructions on obtaining the token values. Tip: You can use the obfuscate.bat sh utility to mask the client secret, access token and refresh token value in the configuration file (recommended). The utility is located in the <pf-install>/ pingfederate/bindirectory. Make sure to run the obfuscate utility with -l flag. Example: obfuscate. [bat sh] -l <Value to be obfuscated> As an option in this file, you may also change the default specifications (usable characters and length) for the randomly generated reset passwords that users will receive from the Password Manager. 3. Copy the agent-config.txt file, which was exported during the SP adapter, configuration, into the same directory (see SP Adapter Setup):../gapps-password-manager.war/WEB-INF/classes/ 4. Start or restart PingFederate, or the servlet container in which the Manager is installed.

20 The Password Manager 19 Access the Password Manager After configuring PingFederate and deploying the application, users can access the Google Apps Password Manager via the URL below, in most cases (for additional parameters that may be needed, see System-Services Endpoints in the PingFederate Administrator s Manual). Note: If you have configured more than one IdP-to-SP adapter mapping, you will need to specify the SPadapter instance ID as the value for the query parameter SpSessionAuthnAdapterId. http[s]://<pf_host>:<port>/pf/adapter2adapter.ping?targetresource=http[s]:// <g_apps_pm_host>:<port>/gapps-password-manager/resetpassword where: <pf_host>:<port> is the PingFederate host server name or IP address and port number. <g_apps_pm_host>:<port> is the host server name or IP address and port number where the Password Manager is deployed (may be the same as for PingFederate).

21 Release notes 20 Release notes Product: PingFederate Google Apps Connector 3.1 The PingFederate Connector for Google Apps enables an enterprise to provision its users to Google Apps. This Google Apps Connector includes a quick connection template to easily set up a Single Sign-On (SSO) connection and Google Apps provisioning. For information on features and setup, please refer to the product documentation. If you have problems with deployment, installation, or configuration, please visit the Ping Identity Support Center (ping.force.com/support). Change list by version on page 20 Qualification Statement ZIP manifest on page 21 Change list by version Google Apps Connector 3.1 September 2016 (Current Release) Added configuration options for CRUD capabilities Improved exception handling and reporting Added support for Google Admin SDK v Google Apps Connector April 2015 Fixed bug for orgunitpath Google Apps Connector April 2015 Updated Google Apps Password Manager to use latest API Removed Oauth Helper App in favor of using the Oauth Configuration Service (OCS) Bug Fixes Google Apps Connector October 2014 Improved error handling when the SP Connection contains invalid target credentials Google Apps Connector 3.0 August 2014 Updated Connector to use Google Admin SDK Added support for new User fields Added support for Groups provisioning Qualification statement This section documents the testing performed on the PingFederate Google Apps Connector v3.1 with PingFederate version(s) listed below as of September Version Tested pf-google-quickconnection-3.1.jar Operating Systems Tested Windows Server 2012 R2 64-bit Red Hat Enterprise Linux bit

22 Release notes 21 JDK Versions Tested JDK Update bit Browsers Tested Chrome Firefox Internet Explorer PingFederate Versions Tested PingFederate 7.3 PingFederate 8.2 Google Apps Configuration Tested User Store: LDAP (Active Directory) Windows Server 2012 R2 Windows Server 2008 Data Store (Internal Provisioning Database) Hypersonic MySQL 5.6 Oracle 11g PingFederate Common Provisioning Layer Version prov-cpl Prerequisites/Assumptions The Java SE Development Kit (JDK) should comprise the correct Java version for your PingFederate installation. Known Issues Due to a limitation with PingFederate 8.1 and earlier versions, when configuring two SP connections with the same provisioner, the second connection built may be pre-populated with the channel from the first connection. To avoid conflicts, delete this pre-populated channel and create a unique channel for each connection. User attributes cannot be cleared once set. After deleting an LDAP user account, the provisioner does not remove the user in the next provisioning cycle when Group DN is specified, until a new user is added to the targeted group. This limitation is compounded if the provisioner has the User Create functionality disabled. See the following knowledge base article for solutions. Google does not properly handle creating users with an invalid addresscountry ddcode value. The Connector sends the value of work for the Organization type but Google does not retain this value and as a result the Organization type has no value. Google treats certain user attributes as complex data sets: Address (address* attributes), organization (org* attributes), and phone (work* attributes). Any unmapped or empty fields within a complex data set will be cleared in the corresponding Google account. ZIP manifest The distribution ZIP file for the Google Apps Connector contains the following: ReadMeFirst.pdf contains links to this online documentation. /legal: Legal.pdf copyright and license information. /dist contains libraries needed for the Connector: pf-google-quickconnection-3.1.jar PingFederate Google Apps Connector gapps-password-manager.war The Google Password Manager Application