Creating a Google Workspace connection

Use a Google Workspace connection to enable provisioning from PingOne to the Google Workspace user directory.

Before you begin

Make sure you have:

Reviewed the Google Cloud documentation.
A Google Workspace project. You can find more information in the Google Cloud admin console.
Details for the connected application, such as application name, domain, OAuth client ID, and client secret. Learn more in Finding Google application details.
Reviewed the Google Workspace provisioning known limitations.

Steps

In the PingOne admin console, go to Integrations > Provisioning.
Click and then click New Connection.
On the Identity Store line, click Select.
On the Google Workspace tile, click Select. Click Next.
Enter a name and description for the provisioning connection.

Result:

The connection name appears in the provisioning list after you save the connection.
Click Next.

In the Configure Authentication section, enter the values for the following fields:

You can find the values on the Google Developer console. Learn more in Finding Google application details.

Field	Value
Application Name	The name of the connected application.
Domain	The fully qualified domain name for the connected application.
OAuth client ID	The application ID for the connected application.
OAuth Client Secret	The application secret for the connected application.
OAuth Access Token	The access token for the connected application.
OAuth Refresh Token	The refresh token for the connected application.

Field

Value

Application Name

The name of the connected application.

Domain

The fully qualified domain name for the connected application.

OAuth client ID

The application ID for the connected application.

OAuth Client Secret

The application secret for the connected application.

OAuth Access Token

The access token for the connected application.

OAuth Refresh Token

The refresh token for the connected application.

Click Test Connection to verify that PingOne can establish a connection to Google Workspace.

Result:

If there are any issues with the connection, a Test Connection Failed modal opens. Click Next to resume the setup with an invalid connection.

You can’t use the connection for provisioning until you’ve established a valid connection to Google Workspace. To retry, click Cancel in the Test Connection Failed modal and repeat step 7.

Troubleshooting:

Learn more about troubleshooting your connection in Troubleshooting Test Connections Failure.

On the Actions section, enter the following:

Field

Description

Allow Users to be Created

Determines whether to create a user in the Google Workspace user directory when the user is created in the PingOne identity store.

Allow Users to be Updated

Determines whether to update user attributes in the Google Workspace user directory when the user is updated in the PingOne identity store.

Allow Users to be Disabled

When a user is disabled in the PingOne identity store, PingOne disables the user in the external identity store.

You’ll see this option only if you select Allow Users to be Updated.

Allow Users to be Deprovisioned

Determines whether to deprovision a user in the Google Workspace user directory when the user is deprovisioned in the PingOne identity store.

Remove Action

Determines the action to take when removing a user from the Google Workspace user directory.

You’ll see this option only if you select Allow Users to be Deprovisioned.

Disable: When a user is deprovisioned from the PingOne identity store, PingOne disables the user in the external identity store.

Delete: When a user is deprovisioned from the PingOne identity store, PingOne deletes the user in the external identity store.

Deprovision on Rule Deletion

Determines whether to deprovision users that were provisioned using this rule if the rule is deleted.

Click Save.
To enable the connection, click the toggle at the top of the details panel to the right (blue).

You can disable the connection by clicking the toggle to the left (gray).

Result

The Google Workspace provisioning connection is complete and added to the list of provisioning connections on the Provisioning page.

Next steps

Sync group members out of PingOne into a software as a service (SaaS) application. Learn more in Configuring outbound group provisioning.

Finding Google application details

Use the Google Developer Console to find the details for your connected application, such as client ID, client secret, access token, and refresh token.

Steps

Go to the Google Developer Console.
In the projects list, select a project or create a new one.
In the Search field, enter Google Workspace.
On the left navigation pane, click Credentials.
Under OAuth 2.0 Client IDs, click the appropriate application.
In the OAuth client window, copy the client ID and client secret to a secure location.

You can always access the client ID and client secret from the Credentials page later if needed.

Google Workspace attribute mapping

The following table lists common Google Workspace user attributes that can be mapped to PingOne user attributes for user provisioning.

Attribute Description

Family Name

The user’s last name.

Given Name

The user’s first name.

Email Address

The user’s email address.

Password

The user’s password.

!enabled

This attribute is used to maintain the status of the user account in Google Workspace. If the user is enabled in PingOne, then the sync enables the user in Google Workspace. If the user is disabled in PingOne, then the sync disables the user in Google Workspace.

For outbound provisioning to Google Workspace, you must map the addressFormatted attribute for the user’s address to appear in the Google Admin portal.

Google Workspace provisioning known limitations

The following are known issues or limitations with Google Workspace user provisioning.

You can clear user attributes after setting them by sending an empty string value onUpdate.
If a PingOne user has an invalid addressCountry value, Google Workspace might not provision the user properly.
Changes to user attributes can take a few minutes to propagate to Google Workspace. However, in some cases, changes can take up to 24 hours to take effect. For more information, see How changes propagate to Google services.
The isAdmin property can only be edited in the Make a user an administrator operation (makeAdmin method). If the property is edited in the user insert or update methods, the edit is ignored by the Google API service.
When there is an existing group in Google with the same email ID and one member and PingOne has the same group with a different member, both the existing members and the new member are in Google after Provisioning.
An update in membership in PingOne doesn’t recreate a synced deleted group from Google.