You can use the Google Apps Provisioning Adapter to automatically provision users in Google from the VMware Identity Manager service. If provisioning is enabled, whenever you entitle a user to Google Apps in the service, the user is also created in Google.

Before enabling provisioning in VMware Identity Manager, you must do the following:

1

Create a Google service account and its credentials.

You will need your service account’s client ID, email address, and private key file to enable provisioning.

2

After you create the Google service account, enable Google Apps domain-wide delegation.

a

In the API Manager Credentials > Create credentials page, click Manage service accounts.

b

Click the more options icon icon next to your service account and select Edit.

c

Select the Enable Google Apps Domain-wide Delegation checkbox, and click Save.

Enable Domain-wide delegation popup

3

Delegate Google Apps domain-wide authority to your service account from the Security > Advanced Settings > Authentication > Manage API client access page in the Google Admin console. See the Google documentation for more information.

When you delegate domain-wide authority to the service account, enter the following values for the One or More API Scopes field: https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/admin.directory.user.alias.readonly,https://www.googleapis.com/auth/admin.directory.user.alias,https://www.googleapis.com/auth/admin.directory.user,https://www.googleapis.com/auth/admin.directory.group.readonly,https://www.googleapis.com/auth/admin.directory.group.member.readonly,https://www.googleapis.com/auth/admin.directory.group.member,https://www.googleapis.com/auth/admin.directory.group

Manage API client access page in Google

You can now enable provisioning in the VMware Identity Manager service.

1

Log in to the VMware Identity Manager administration console.

2

Click the Catalog tab.

3

Click Google Apps.

4

In the Modify application page, click Provisioning.

5

Enter the following information.

Option

Description

Select Adapter

Select GoogleAppsProvisioningAdapter.

AdminUsername

Your Google Apps administrator user name. Do not include the domain name.

For example: admin

ServiceAccount

The client email of the service account.

You can get the client email from the key file.

Private Key

Copy and paste the service account's private key.

DomainName

Your company's domain name.

For example: example.com

SuspendOnDeprovisioning

Select this option if you want users to be suspended in Google when you remove their entitlement to Google Apps.

Enable Provisioning

Select this option.

For example:

Provision section

6

Click Test Connection.

If the connection is successful, a "Made a connection to Google service" message appears at the top of the page.

7

Click Save.

8

Click the Users tab.

9

Select the attributes with which to provision users in Google by setting values for them.

The following attributes are required, and have default values.

UserName

FirstName

LastName

To set values for the attributes, follow these steps.

a

Click Edit mapped values.

b

Click Edit next to the attribute and select a value.

For some attributes, mapped values can be specified per group. For example, the USERNAME attribute.

User name attribute

Click +ADD to add a group. You can set different values for the groups. The groups are listed in order of precedence and you can change the order by clicking the blue up and down arrows. If a user belongs to more than one group in the list, then the value of the first group to which the user belongs is used. The ALL USERS group can be used to set a default value.

The expressions in the VALUE drop-down list are the ones listed in the User Attributes page. If you want to add any expressions to the list, add them to the User Attributes page. You can also type in a value directly.

For some attributes, you can specify multiple values. For example, you can specify multiple phone numbers for the PHONES attribute.

Phones attribute

Click +ADD to add another value.

The expressions in the drop-down list are the ones listed in the User Attributes page. If you want to add any expressions to the list, add them to the User Attributes page. You can also type in a value directly.

c

Click Queue Changes or Save.

d

Edit the other attributes you want to set.

e

Click Save.

Provisioning is now enabled. When you entitle a user to Google Apps, if the user does not exist in Google, the user will be created.

Note

When you entitle a user to Google Apps, if you set the DEPLOYMENT field value to Automatic, the user is provisioned immediately. If you set the value to User-Activated, the user is provisioned when the user adds Google Apps to their My Apps portal.

entitle users