--- title: Adding an identity provider - Google description: Add Google as an external IdP in PingOne. component: pingone page_id: pingone:integrations:p1_addidentityprovidergoogle canonical_url: https://docs.pingidentity.com/pingone/integrations/p1_addidentityprovidergoogle.html revdate: May 30, 2025 page_aliases: ["p1_register_app_with_google.adoc", "p1_enable_google_people_api.adoc", "p1_add_idp_in_p1_g.adoc", "p1_add_callback_google.adoc"] section_ids: before-you-begin: Before you begin registering-the-application-with-google: Registering the application with Google steps: Steps next-steps: Next steps enabling-the-google-people-api: Enabling the Google People API steps-2: Steps next-steps-2: Next steps adding-google-as-an-identity-provider-in-pingone: Adding Google as an identity provider in PingOne before-you-begin-2: Before you begin steps-3: Steps adding-the-callback-url-to-the-google-api-console: Adding the callback URL to the Google API Console steps-4: Steps next-steps-3: Next steps --- # Adding an identity provider - Google Adding Google as an external identity provider (IdP) *(tooltip: \
\

A service that manages identity information and provides authentication services to relying clients or SPs within a federated or distributed network.\

\
)* gives your users the option to sign on with Google when accessing your application. ## Before you begin Ensure that you have: * A PingOne organization with an environment added. Learn more in [Starting a PingOne trial](../getting_started_with_pingone/p1_start_a_p1_trial.html). * Added your application to PingOne. Learn more in [Adding an application](../applications/p1_applications_add_applications.html). * A Google account. ## Registering the application with Google When you register your application, Google generates an app ID and app secret for the application. You'll need these values to connect the application to PingOne. ### Steps 1. Go to the [Google API Console](https://console.developers.google.com). If you haven't created a Google account, you can do so now. 2. In the **Projects** list, select a project or create a new one. 3. On the left, click **Credentials**. 4. Click **Create credentials**, then select **OAuth client ID**. If you're prompted to configure an OAuth consent screen with information about your application, you can do that now. 5. Select the appropriate application type for your project and enter the following information: * **Name**: The name of the OAuth client ID, not the display name of the application. * **Authorized JavaScript origins**: The origin URI of the client application, for use with requests from a browser. * **Authorized redirect URIs**: The path in your application that users are redirected to after they authenticate with Google. Leave this value blank for now. 6. Click **Create**. 7. On the **OAuth client** page, copy the client ID and client secret to a secure location. You can always access the client ID and client secret from the **Credentials** page in the API Console. ### Next steps Learn more in [Manage OAuth Clients](https://support.google.com/cloud/answer/15549257?sjid=17163377939720277440-NC) in the Google Cloud Platform Console Help documentation. ## Enabling the Google People API You must enable the Google People API if it's not enabled already. ### Steps 1. Go to the [Google API Console](https://console.developers.google.com). 2. In the **Projects** list, select a project or create a new one. 3. On the left, click **Library**. 4. Locate the **Google People API**. | | | | - | ----------------------------------------------------- | | | If you need help finding the API, use the search bar. | 5. Click **Enable**. ### Next steps Learn more in [Enable and disable APIs](https://support.google.com/googleapi/answer/6158841) in the Google API Console Help documentation. ## Adding Google as an identity provider in PingOne Configure the IdP connection in PingOne. ### Before you begin Ensure that registration is enabled in the authentication policy. Learn more in [Editing an authentication policy](../authentication/p1_edit_auth_policy.html). You should have the following information ready: * Client ID * Client secret ### Steps 1. In the PingOne admin console, go to **Integrations > External IdPs** and click **[icon: plus, set=fa]**. 2. Click **Google** for **Identity Provider Type** and click **Next**. 3. In the **Create Profile** step, enter the following: * **Name**: A unique identifier for the IdP. * **Description** (optional): A brief description of the IdP. * **Population**: Select a population to enable just-in-time registration from the IdP. This overrides the registration population defined in the authentication policy. | | | | - | ------------------------------------------------------------------------------------------------------- | | | You can't change the **Icon** and **Sign-on Button** in accordance with the provider's brand standards. | 4. Click **Next**. 5. In the **Configure Connection** step, enter the following: * **Client ID**: The client ID that you copied earlier from the IdP. You can find this information on the **Credentials** page in the [Google API Console](https://console.developers.google.com). * **Client Secret**: The client secret that you copied earlier from the IdP. You can find this information on the **Credentials** page in the [Google API Console](https://console.developers.google.com). * **Callback URL**: Click the **Copy** icon ([icon: copy, set=fa]) to copy the **Callback URL** to a secure location. You'll provide this value to the IdP later. 6. Click **Next**. 7. Map PingOne user attributes to IdP attributes. Learn more in [Mapping attributes](../directory/p1_editsamlattributemapping.html). * Enter the PingOne user profile attribute and the external IdP attribute. Learn more about attribute syntax in [Identity provider attributes](p1_idp_attributes.html). * To use the advanced expression builder, click the **Gear** icon ([icon: gear, set=fa]). Learn more in [Using the expression builder](../pingone_expression_language/p1_use_expression_builder.html). * Select the **Update Condition**, which determines how PingOne updates its user directory with the values from the IdP. The options are: * **Empty Only**: Update the PingOne attribute only if the existing attribute is empty. * **Always**: Always update the PingOne directory attribute. * To add an attribute, click **[icon: plus, set=fa]Add**. The following attributes can be mapped from Google: | Attribute | Required scope | Description | | ------------------------------- | ----------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------- | | **Age Range** | `auth/profile.agerange.read` | The age range of the user, such as `TWENTY_ONE_OR_OLDER` | | **Birthday Day** | `auth/user.birthday.read` | The user's birthday date | | **Birthday Month** | `auth/user.birthday.read` | The user's birthday month | | **Birthday Text** | `auth/user.birthday.text` | A free text string for the user's birthday This attribute is deprecated. | | **Birthday Year** | `auth/user.birthday.read` | The user's birthday year | | **Display Name** | `auth/userinfo.profile` | The user's display name, such as their full name | | **Email** | `auth/userinfo.email` | The user's email address | | **ETag** | None | A unique identifier assigned by the server the last time the resource was changed | | **Family Name** | `auth/userinfo.profile` | The user's surname | | **Gender** | `auth/user.gender.read` | The user's gender | | **Gender Formatted Value** | `auth/user.gender.read` | The user's gender formatted in the administrator's local language | | **Given Name** | `auth/userinfo.profile` | The user's first name | | **Locale** | `auth/profile.language.read` | The user's language | | **Middle Name** | `auth/userinfo.profile` | The user's middle name | | **Nickname** | `auth/userinfo.profile` | A user's nickname | | **Nickname Type** | `auth/userinfo.profile` | The type of nickname, such as an alternate name the user is known by | | **Phone Number** | `auth/user.phonenumbers.read` | The user's phone number | | **Phone Number Canonical Form** | `auth/user.phonenumbers.read` | The user's phone number in the canonical [international standard E.164](https://www.itu.int/rec/T-REC-E.164/en) format with a maximum of 15 digits | | **Phone Number Formatted Type** | `auth/user.phonenumbers.read` | The user's phone number translated and formatted to the administrator's locale | | **Phone Number Type** | `auth/user.phonenumbers.read` | The type for the user's phone number, such as home, mobile, or work | | **Photo URL** | `auth/userinfo.profile` | The URL for the user's photo from their Google profile | | **Resource Name** | None | An identifier for a specific entity type, such as `Person` or `ContactGroup` | Learn more about the required scopes in the [Google People API reference](https://developers.google.com/people/api/rest/v1/people/get) and [OAuth 2.0 scopes](https://developers.google.com/identity/protocols/oauth2/scopes#people) in the Google API documentation. 8. Click **Save**. 9. To enable the IdP, click the toggle at the top of the details panel to the right (blue). | | | | - | ------------------------------------------------------------------ | | | You can disable the IdP by clicking the toggle to the left (gray). | ## Adding the callback URL to the Google API Console After copying the callback URL from PingOne, you'll paste it in the Google API Console. ### Steps 1. Go to the [Google API Console](https://console.developers.google.com). 2. In the **Projects** list, select the appropriate project. 3. Click **Credentials**. 4. In the **Application** list, click the appropriate application. 5. In the **Authorized redirect URIs** section, click **Add URI** and paste the callback URL that you copied from PingOne. ## Next steps * [Add the IdP to your authentication policy](../authentication/p1_edit_auth_policy.html). * [Apply the authentication policy to your application](../applications/p1_apply_auth_policy_to_applications.html).