PingOne

Adding an identity provider - Google

Adding Google as an external identity provider (IdP) gives your users the option to sign on with Google when accessing your application.

Before you begin

Ensure that you have:

Registering the application with Google

When you register your application, Google generates an app ID and app secret for the application. You’ll need these values to connect the application to PingOne.

Steps

  1. Go to the Google API Console.

    If you haven’t created a Google account, you can do so now.

  2. In the Projects list, select a project or create a new one.

  3. On the left, click Credentials.

  4. Click Create credentials, then select OAuth client ID.

    If you’re prompted to configure an OAuth consent screen with information about your application, you can do that now.

  5. Select the appropriate application type for your project and enter the following information:

    • Name: The name of the OAuth client ID, not the display name of the application.

    • Authorized JavaScript origins: The origin URI of the client application, for use with requests from a browser.

    • Authorized redirect URIs: The path in your application that users are redirected to after they authenticate with Google. Leave this value blank for now.

  6. Click Create.

  7. On the OAuth client page, copy the client ID and client secret to a secure location.

    You can always access the client ID and client secret from the Credentials page in the API Console.

Next steps

Learn more in Manage OAuth Clients in the Google Cloud Platform Console Help documentation.

Enabling the Google People API

You must enable the Google People API if it’s not enabled already.

Steps

  1. Go to the Google API Console.

  2. In the Projects list, select a project or create a new one.

  3. On the left, click Library.

  4. Locate the Google People API.

    If you need help finding the API, use the search bar.

  5. Click Enable.

Next steps

Learn more in Enable and disable APIs in the Google API Console Help documentation.

Adding Google as an identity provider in PingOne

Configure the IdP connection in PingOne.

Before you begin

Ensure that registration is enabled in the authentication policy. Learn more in Editing an authentication policy.

You should have the following information ready:

  • Client ID

  • Client secret

Steps

  1. In the PingOne admin console, go to Integrations > External IdPs and click .

  2. Click Google for Identity Provider Type and click Next.

  3. In the Create Profile step, enter the following:

    • Name: A unique identifier for the IdP.

    • Description (optional): A brief description of the IdP.

    • Population: Select a population to enable just-in-time registration from the IdP. This overrides the registration population defined in the authentication policy.

      You can’t change the Icon and Sign-on Button in accordance with the provider’s brand standards.

  4. Click Next.

  5. In the Configure Connection step, enter the following:

    • Client ID: The client ID that you copied earlier from the IdP. You can find this information on the Credentials page in the Google API Console.

    • Client Secret: The client secret that you copied earlier from the IdP. You can find this information on the Credentials page in the Google API Console.

    • Callback URL: Click the Copy icon () to copy the Callback URL to a secure location. You’ll provide this value to the IdP later.

  6. Click Next.

  7. Map PingOne user attributes to IdP attributes. Learn more in Mapping attributes.

    • Enter the PingOne user profile attribute and the external IdP attribute. Learn more about attribute syntax in Identity provider attributes.

    • To use the advanced expression builder, click the Gear icon (). Learn more in Using the expression builder.

    • Select the Update Condition, which determines how PingOne updates its user directory with the values from the IdP. The options are:

      • Empty Only: Update the PingOne attribute only if the existing attribute is empty.

      • Always: Always update the PingOne directory attribute.

    • To add an attribute, click Add.

    The following attributes can be mapped from Google:

    Attribute Required scope Description

    Age Range

    auth/profile.agerange.read

    The age range of the user, such as TWENTY_ONE_OR_OLDER

    Birthday Day

    auth/user.birthday.read

    The user’s birthday date

    Birthday Month

    auth/user.birthday.read

    The user’s birthday month

    Birthday Text

    auth/user.birthday.text

    A free text string for the user’s birthday

    This attribute is deprecated.

    Birthday Year

    auth/user.birthday.read

    The user’s birthday year

    Display Name

    auth/userinfo.profile

    The user’s display name, such as their full name

    Email

    auth/userinfo.email

    The user’s email address

    ETag

    None

    A unique identifier assigned by the server the last time the resource was changed

    Family Name

    auth/userinfo.profile

    The user’s surname

    Gender

    auth/user.gender.read

    The user’s gender

    Gender Formatted Value

    auth/user.gender.read

    The user’s gender formatted in the administrator’s local language

    Given Name

    auth/userinfo.profile

    The user’s first name

    Locale

    auth/profile.language.read

    The user’s language

    Middle Name

    auth/userinfo.profile

    The user’s middle name

    Nickname

    auth/userinfo.profile

    A user’s nickname

    Nickname Type

    auth/userinfo.profile

    The type of nickname, such as an alternate name the user is known by

    Phone Number

    auth/user.phonenumbers.read

    The user’s phone number

    Phone Number Canonical Form

    auth/user.phonenumbers.read

    The user’s phone number in the canonical international standard E.164 format with a maximum of 15 digits

    Phone Number Formatted Type

    auth/user.phonenumbers.read

    The user’s phone number translated and formatted to the administrator’s locale

    Phone Number Type

    auth/user.phonenumbers.read

    The type for the user’s phone number, such as home, mobile, or work

    Photo URL

    auth/userinfo.profile

    The URL for the user’s photo from their Google profile

    Resource Name

    None

    An identifier for a specific entity type, such as Person or ContactGroup

    Learn more about the required scopes in the Google People API reference and OAuth 2.0 scopes in the Google API documentation.

  8. Click Save.

  9. To enable the IdP, click the toggle at the top of the details panel to the right (blue).

    You can disable the IdP by clicking the toggle to the left (gray).

Adding the callback URL to the Google API Console

After copying the callback URL from PingOne, you’ll paste it in the Google API Console.

Steps

  1. Go to the Google API Console.

  2. In the Projects list, select the appropriate project.

  3. Click Credentials.

  4. In the Application list, click the appropriate application.

  5. In the Authorized redirect URIs section, click Add URI and paste the callback URL that you copied from PingOne.

Next steps