Google IdP Adapter settings reference

Field descriptions for the Google IdP Adapter configuration screen.

Field Description

Attribute Retrieval

Determines the user attributes that the Google IdP Adapter gets from Google. Your selection determines the set of attributes that you can add on the Extended Contract tab.

For the list of attributes associated with each option, see Available user attributes reference.

Email

Returns the user’s email address and identifier.

Basic Profile

Returns the user’s full basic using the Google userinfo endpoint.

Extended Profile

Returns the user’s full profile using Directory API from the G Suite Admin SDK. For details, see Method:users.get in the Google documentation.

The Extended Profile is only available when the refresh token is authorized for the user’s G Suite organization.

The externalIds attribute is returned as structured JSON attributes. Make sure the service provider application can parse attributes in that format.

The default selection is Email.

Client ID

The App ID that you noted in Registering PingFederate in Google.

This field is blank by default.

Client Secret

The App Secret that you noted in Registering PingFederate in Google.

This field is blank by default.

Refresh Token

The refresh token that you noted in Get a refresh token.

This field is blank by default.

Error Redirect URL

When an error occurs in the adapter, PingFederate redirects the browser to this URL instead of the default error page.

This field is blank by default.

Unauthorized redirect URL

When the user does not authorize Google to share their user information, PingFederate redirects the browser to this URL instead of the default error page.

This field is blank by default.

Callback Endpoint

The end of the callback endpoint that you authorized in Registering PingFederate in Google.

The default value is /google-authn.

Advanced fields
Field	Description
PingFederate Base URL	Overrides the PingFederate base URL, such as `https://pf_host:pf_port/`. This field is blank by default.
Authentication URL	The Google endpoint used for authentication. If Google changes this endpoint, enter the new URL. If you want the adapter to expose the `openid_id` parameter, enter `https://accounts.google.com/o/oauth2/auth?openid.realm=https://pf_host:pf_port`. The default value is `https://accounts.google.com/o/oauth2/auth`.
Access Token URL	The Google endpoint used to retrieve an OAuth access token. If Google changes this endpoint, enter the new URL. The default value is `https://accounts.google.com/o/oauth2/token`.
Logout URL	The Google logout URL. The adapter redirects users to this address to sign them out. If Google changes this endpoint, enter the new URL. The default value is `https://accounts.google.com/Logout?hl=en`.
User Info URL	The Google URL used to retrieve user data. If Google changes this endpoint, enter the new URL. The default value is `https://openidconnect.googleapis.com/v1/userinfo`.
Extended Profile Data URL	The Google URL used to retrieve user data from the Directory API for G Suite organizations. If Google changes this endpoint, enter the new URL. The default value is `https://www.googleapis.com/admin/directory/v1/users`.
Group Request	Determines whether the adapter retrieves user group information from the Google API. This check box is cleared by default.
Extended Profile Group URL	The Google URL used to retrieve group data from the Directory API for G Suite organizations. If Google changes this endpoint, enter the new URL. The default value is `https://www.googleapis.com/admin/directory/v1/groups?userKey=`.
Certificate URL	The Google URL used to retrieve the latest certificate that Google uses to sign the ID token. If Google changes this endpoint, enter the new URL. The default value is `https://www.googleapis.com/oauth2/v3/certs`.
Google Sign-On Presentation	Determines how the user is directed to Google for authentication. If automatic redirects are blocked in your environment, select Pop-up window. If you are not using PingFederate in authentication API mode, this alternative presents a template file that requires user interaction. The default value is Redirect.
Google Pop-Up Template	The template file that presents the Google sign-on form. Applies only when Google sign-on presentation is set to Pop-up window. The default value is `google-pop-up-template.html`.
Google Post Auth Template	The template that adapter presents after the user signs on. This template signals to the main template or authentication widget to continue the authentication flow. Applies only when Google sign-on presentation is set to Pop-up window. The default value is `google-post-auth-template.html`.
Google Messages File	The language-pack file associated with the Google Pop-Up Template. The default value is `pingfederate-google-adapter-messages`.
Retry Request	Determines whether the adapter retries requests when the Google API responds with an error code listed in the Retry Error Codes field.
Maximum Retries Limit	Determines the number of times the adapter retries a request. The default value is `5`.
Retry Error Codes	The list of error codes that cause the adapter to retry a request. Separate multiple error codes with a comma. For a list of error codes, see Error Handling in the Google documentation. The default value is `403,503`.
API Request Timeout	The amount of time in milliseconds that PingFederate waits for the Google API to respond to requests. A value of `0` disables the timeout. The default value is `10000`.
Connection Timeout	The amount of time in milliseconds that PingFederate allows to establish a connection with the Google API. A value of 0 disables the timeout. The default value is `10000`.
Proxy Settings	Defines proxy settings for outbound HTTP requests. The default value is System Defaults.
Custom Proxy Host	The proxy server host name to use when Proxy Settings is set to Custom. This field is blank by default.
Custom Proxy Port	The proxy server port to use when Proxy Settings is set to Custom. This field is blank by default.