Review the Google Cloud documentation at https://cloud.google.com/docs.

Make sure that you have:

  1. Go to Integrations > Provisioning.
  2. Click + and then click New Connection.
  3. On the Identity Store line, click Select.
  4. Click Google Workspace, click Select, and then click Next.
  5. Enter a name and description for the provisioning connection.

    The connection name is added to the Connections tab after you save the connection.

  6. Click Next.
  7. On the Configure authentication panel, enter the following information.

    You can find the values on the Google Developer console. For more information, see Finding Google application details.

    • Application name: The name of the connected application.
    • Domain: The fully qualified domain name for the connected application.
    • OAuth client ID: The application ID for the connected application.
    • OAuth client secret: The application secret for the connected application.
    • OAuth access token: The access token for the connected application.
    • OAuth refresh token: The refresh token for the connected application.
  8. Click Test connection to verify that PingOne can establish a connection to Google Workspace.

    If there are any issues with the connection, a Test Connection Failed dialog box opens. Click Continue to resume the setup with an invalid connection.

    Important:

    You cannot use the connection for provisioning until you have established a valid connection to Google Workspace. Click Cancel in the Test Connection Failed dialog box and follow step 7, to try again.

    Learn more about troubleshooting your connection in Troubleshooting Test Connections Failure.
  9. On the Actions panel, enter the following:
    Field Value

    Allow users to be created

    Determines whether to create a user in the Google Workspace user directory when the user is created in the PingOne identity store.

    Allow users to be updated

    Determines whether to update user attributes in the Google Workspace user directory when the user is updated in the PingOne identity store.

    Allow users to be disabled

    When a user is disabled in the PingOne identity store, PingOne disables the user in the external identity store.

    Note:

    You'll see this option only if you select Allow users to be updated.

    Allow users to be deprovisioned

    Determines whether to deprovision a user in the Google Workspace user directory when the user is deprovisioned in the PingOne identity store.

    Remove action

    Determines the action to take when removing a user from the Google Workspace user directory.

    Note:

    You'll see this option only if you select Allow users to be deprovisioned.

    Disable:When a user is deprovisioned from the PingOne identity store, PingOne disables the user in the external identity store.

    Delete: When a user is deprovisioned from the PingOne identity store, PingOne deletes the user in the external identity store.

    Deprovision on rule deletion

    Determines whether to deprovision users that were provisioned using this rule if the rule is deleted.

  10. Click Finish.

To sync group members out of PingOne into a software as a service (SaaS) application, follow the instructions in Configuring outbound group provisioning.