1. In the PingFederate administrator console, create a new SP connection:
    • For PingFederate 10.1 or later: go to Applications > Integration > SP Connections. Click Create Connection.
    • For PingFederate 10.0 or earlier: go to Identity Provider > SP Connections. Click Create Connection.
  2. Configure the basic connection details with the Google Workspace quick connection template.
    1. On the Connection Template tab, select Use a template for this connection.
    2. From the Connection Template list, select Google Workspace Provisioner.
    3. In the Google Domain field, the Google Domain used by your organization for SSO access to Google Apps.
      Note:

      If your Google Apps administrative implementation supports more than one domain, select the USE A DOMAIN SPECIFIC ISSUER checkbox under the Google Domain. Checking this box allows you to configure additional SP connections for other domains at your site registered with Google Apps.

    4. On the Connection Type tab select Browser SSO Profiles and Outbound Provisioning. Click Next.
    5. On the Connection Options tab, click Next.
    6. On the General Info tab, in the Connection Name field, enter a name of your choosing. Click Next.
  3. On the Browser SSO tab, configure browser SSO.
    For more information, see Configuring IdP Browser SSO in the PingFederate documentation.
    1. On the Browser SSO > SAML Profiles tab, select only SP-Initiated SSO.
    2. On the Browser SSO > Protocol Settings > Allowable SAML Bindings tab, select only Redirect.
  4. On the Browser SSO > Protocol Settings > Signature Policy tab, select the Always sign the SAML Assertion check box. Click Next.
  5. On the Credentials tab, configure the connection credentials as shown in Configuring credentials in the PingFederate documentation. Click Next.
  6. On the Outbound Provisioning tab, configure provisioning with the following details.
    For help, see Configuring outbound provisioning in the PingFederate documentation.
    1. On the Target tab, complete the fields as follows.
      Field Name Description

      Application Name

      The Application Name for the application created in Google Apps.

      For more information on obtaining an application name, client Id and secret, see Obtain an application name, client ID, and secret.

      Domain

      The Domain for the Google Apps account.

      OAuth Access Token

      The OAuth Access Token generated by the OAuth Configuration Service.

      For more information on obtaining authorized OAuth tokens, see the Generate authorized OAuth 2.0 tokens

      Oauth Client ID

      The Oauth client ID for the application created in Google Apps.

      For more information on obtaining an application name, client Id and secret, see Obtain an application name, client ID, and secret .

      Oauth Client Secret

      The Oauth client secret generated during application creation for Google Apps.

      OAuth Refresh Token

      The OAuth refresh token generated by the OAuth Configuration Service.

      User Create

      Selected (default) – PingFederate creates users in Google Apps..

      Cleared - PingFederate does not create users in Google Apps.

      User Update

      Selected (default) – PingFederate updates existing users in Google Apps.

      Cleared - PingFederate does not update existing users in Google Apps.

      User Disable/Delete

      Selected (default) – PingFederate disables or deletes users in Google Apps.

      Note:

      PingFederate can only re-enable a user if User Update is selected.

      Cleared – PingFederate does not disable or delete users in Google Apps.

      Provision Disabled Users

      This option applies when:

      • the User Create option is selected, and
      • the provisioning engine targets a user in the data store that has a "disabled" status.

      Selected (default) – PingFederate creates the user in Google Apps with a "disabled" status.

      Cleared – PingFederate does not create the user in Google Apps.

      Remove User Action

      This option applies when:

      • User Disable/Delete is selected, and
      • a previously-provisioned user no longer meets the condition set on the Source Location screen, or
      • a user has been disabled or deleted from the data store.

      Disable (default) – PingFederate disables the user in Google Apps.

      Delete – PingFederate deletes the user from Google Apps.

  7. On the Activation and Summary tab, above the Summary section, click the toggle to turn on the connection. Click Save.