G Suite

Before You Begin

Introduction

This document describes how to configure Oracle Identity Cloud Service to provide Single Sign-On (SSO) using SAML and provisioning for G Suite.

About G Suite

G Suite is a brand of cloud computing software, and productivity and collaboration tools. G Suite comprises Gmail, Hangouts, Calendar, and Google+ for communication, Drive for storage, Docs, Sheets, Slides, Forms, and Sites for collaboration.

After integrating G Suite with Oracle Identity Cloud Service:

• Users can access G Suite using their Oracle Identity Cloud Service login credentials.
• Users can launch G Suite using the Oracle Identity Cloud Service My Apps console.
• Admins can assign and revoke user access to the G Suite app using the Oracle Identity Cloud Service administration console.

What Do You Need?

• An Oracle Identity Cloud Service account with authorization rights to manage apps and users (Identity Domain Administrator or Application Administrator).
• A G Suite administrator account with a verified domain to include when you register the G Suite app in Oracle Identity Cloud Service. See Google Domains: Verify your Domain for Google domain verification steps.
• Make sure that the email ID of each user in G Suite matches the primary email ID of the Oracle Identity Cloud Service account.

Configuring the G Suite App in Oracle Identity Cloud Service

Use this section to register and activate the G Suite app and to enable provisioning and synchronization for G Suite. You can then assign users or groups to G Suite and start the user provisioning process.

Prerequisite Steps

A verified domain name is required before you can register and activate the G Suite app. You obtain that domain name from G Suite.

To obtain the domain name:

1. Log in as an administrator to the Google Admin console at: https://admin.google.com/.

2. Click MORE CONTROLS at the bottom of the page, and then click Domains.

3. Select Add/Remove domains, and then copy the Primary Domain.

Tip: Use the above primary domain value as the Domain Name in Step 4. of "Registering and Activating the G Suite App" section.

Registering and Activating the G Suite App

1. Access the Oracle Identity Cloud Service administration console, select Applications, and then click Add.

2. Click App Catalog.

3. Search for G Suite, and then click Add.

4. In the Visible column of the App Links section, select check boxes for the G Suite sub apps that you want to select for users. The specified sub app links appear on the My Apps page for the users that are assigned to the G suite app.

5. In the App Details section, enter the G Suite Domain, and then click Next.

   Note:

• This is the domain name value that you obtained while performing the steps in the "Prerequisite Steps" section.

• If you update the domain name, then ensure to reauthorize the application once again in the Provisioning page. See the "Enabling Provisioning and Synchronization for G Suite" section.

1. Click Download Identity Provider Metadata.

   Tip: You use this file later during the G Suite configuration in the "Configuring SSO for G Suite" section.

2. Click Next to enable provisioning and synchronization for G Suite. See the "Enabling Provisioning and Synchronization for G Suite" section.

3. After you enable provisioning, click Finish. Oracle Identity Cloud Service displays a confirmation message.

4. Click Activate, and then click Activate Application. Oracle Identity Cloud Service displays a confirmation message.

Enabling Provisioning and Synchronization for G Suite

Use this section to enable provisioning and synchronization for managing user accounts in G Suite through Oracle Identity Cloud Service.

Enabling Provisioning

1. On the Provisioning page, select Enable Provisioning.

2. To establish a connection with G Suite through Oracle Identity Cloud Service, click Authorize. The G Suite login page appears.

3. Enter the G Suite administrator account credentials, click Sign in, and then click Allow at the prompt requesting offline access to G Suite.

4. From the Actions drop-down list, select Test to verify the connection with G Suite. Oracle Identity Cloud Service displays a confirmation message.

5. To view predefined attribute mappings between the user account fields defined in G Suite and the corresponding fields defined in Oracle Identity Cloud Service, click Attribute Mapping, and then click OK.

   Note: To add a new attribute for provisioning, click Add Attribute, specify the attributes in the User and Account columns, and then click OK. For example, if you want to add the External ID field, enter $(user.externalId) in the User column, and then select the corresponding field from the drop-down list in the Account column.

6. Specify the provisioning operations that you want to enable for G Suite:

   Authoritative Sync: Configures G Suite as an authoritative source of Oracle Identity Cloud Service. In the authoritative sync configuration, users, groups, and user group memberships are created or modified on G Suite and the information is synchronized into Oracle Identity Cloud Service.

   Note: By default, authoritative sync is not enabled and the Create Account, De-activate Account, Update Account, and Delete Account check boxes are selected for performing provisioning operations. If you enable authoritative sync, these check boxes are disabled for this app and you can't perform the provisioning operations using Oracle Identity Cloud Service.

   Create Account: Automatically creates an account in G Suite when G Suite access is granted to the corresponding user in Oracle Identity Cloud Service.

   De-activate Account: Automatically activates or deactivates an account in G Suite when the corresponding user is activated or deactivated in Oracle Identity Cloud Service.

   Update Account: Automatically updates an account in G Suite when the user is updated in Oracle Identity Cloud Service.

   Delete Account: Automatically deletes an account from G Suite when G Suite access is revoked from the corresponding user in Oracle Identity Cloud Service.

Enabling Synchronization

1. On the Provisioning page, select Enable Synchronization.

2. From the User Identifier drop-down list, select the Oracle Identity Cloud Service user attribute that you want to match with the corresponding record fetched from G Suite.

   Note: By default, the Primary Email Address check box is selected. It is recommended to leave this default attribute for accurate synchronization of user records.

3. From the Application Identifier drop-down list, select the G Suite account attribute that you want to match with the existing Oracle Identity Cloud Service user.

   Note: By default, the name option is selected that represents the primaryEmail attribute of the G Suite account. Don't change this default option.

4. From the When exact match is found drop-down list, select one of the following actions to be performed when a matching Oracle Identity Cloud Service user is found for an account:

   Link and confirm: Automatically links and confirms the matched account to the corresponding Oracle Identity Cloud Service users based on the defined User Identifier and Application Identifier fields.

   Link but do not confirm: Automatically links all the matched accounts to the corresponding Oracle Identity Cloud Service users based on the defined User Identifier and Application Identifier fields. You need to manually confirm the linked accounts.

5. In the Max. number of creates field, enter a number that is greater than or equal to 10. This value limits the number of accounts to be created during the synchronization run.

6. In the Max. number of deletes field, enter a number that is greater than or equal to 10. This value limits the number of accounts to be removed during the synchronization run.

After enabling provisioning and synchronization for G Suite, you can synchronize the existing account details from G Suite and link them to the corresponding Oracle Identity Cloud Service users. For more information on performing synchronization tasks, see the Importing User Accounts from a Software as a Service Application section in Administering Oracle Identity Cloud Service.

You can also manage G Suite accounts through Oracle Identity Cloud Service. For more information on performing provisioning tasks, see the Managing Oracle Identity Cloud Service Users and Managing Oracle Identity Cloud Service Groups sections in Administering Oracle Identity Cloud Service.

Configuring SSO for G Suite

1. Access G Suite at: https://gsuite.google.com/, click Sign in, enter your <GSuiteDomain>, and then click GO.

2. On the Admin console page, click the Security tile.

3. On the Security page, click Set up single sign-on (SSO).

4. In the Setup SSO with third party identity provider section, use the table to update the federated authentication attributes.

   This table lists the mandatory federated authentication attributes that you must set to complete the SSO configuration.

   Attribute	Value
   Sign-in page URL	Enter the Sign-in URL and SSO Endpoint: https://<IDCS-Service-Instance>.identity.oraclecloud.com/fed/v1/idp/sso
   Sign-out page URL	Enter the Oracle Identity Cloud Service My console URL: https://<IDCS-Service-Instance>.identity.oraclecloud.com/ui/v1/myconsole.
   Verification certificate	Click Upload Certificate, and then upload the certificate that you downloaded during the G Suite registration in Oracle Identity Cloud Service. See the "Registering and Activating the G Suite App" section.

   Your changes are saved automatically.

Verifying the Integration

Use this section to verify that SSO and single log-out (SLO) work when initiated from Oracle Identity Cloud Service (IdP Initiated SSO and IdP Initiated SLO) and when initiated from G Suite (SP Initiated SSO and SP Initiated SLO).

Verifying Identity Provider Initiated SSO from Oracle Identity Cloud Service

1. Access the Oracle Identity Cloud Service My console: https://<IDCS-Service-Instance>.identity.oraclecloud.com/ui/v1/myconsole.

2. Log in using credentials for a user that is assigned to the G Suite app. Oracle Identity Cloud Service displays a shortcut to G Suite apps (Calendar, Drive, and Mail) under My Apps.

3. Click the G Suite Calendar app and the G Suite Calendar home page appears. Click the user account icon in the upper-right corner of the page and confirm that the user that is logged in is the same user that is logged in to Oracle Identity Cloud Service.

4. Repeat step 3 for the G Suite Drive app and the G Suite Mail app.

   This confirms that SSO that is initiated from Oracle Identity Cloud Service works.

Verifying Service Provider Initiated SSO from G Suite

1. Access G Suite using the URL: https://gsuite.google.com/. The G Suite signup page appears.

2. In the upper-right corner of the header, click Sign in, enter the G Suite Domain, select any one of the G Suite app that you want to access from the Access to drop-down list, and then click GO. You are redirected to the Oracle Identity Cloud Service login page.

3. Log in using credentials for a user that is assigned to the G Suite app. The home page of the selected app appears.

4. Click the user icon in the upper-right corner of the page, and confirm that the user that is logged in is the same for both G Suite and Oracle Identity Cloud Service.

   This confirms that SSO that is initiated from G Suite works.

Verifying Single Log-Out (SLO) from Oracle Identity Cloud Service

1. Access any of the G Suite apps from the Oracle Identity Cloud Service My Profile console using the URL: https://<IDCS-Service-Instance>.identity.oraclecloud.com/ui/v1/myconsole. The home page of the selected app appears.

2. In the upper-right corner of the Oracle Identity Cloud Service My Profile console, click the user drop-down list, and then click Sign Out. The Oracle Identity Cloud Service login page appears.

3. Confirm that the user is logged out of the selected app.

   Note: The user is logged out of both Oracle Identity Cloud Service and the app when log out is initiated from Oracle Identity Cloud Service.

   This confirms that SLO that is initiated from Oracle Identity Cloud Service works.

Troubleshooting

Use this section to locate solutions to common integration issues.

Known Issues

G Suite displays the error message "Server error"

Cause: The email attribute sent by Oracle Identity Cloud Service during SSO doesn't match any existing user in G Suite.

Solution: Ensure that the user that is signed in has an account in both Oracle Identity Cloud Service and G Suite with the same email address.

G Suite displays the error message “You are not authorized to access the app. Contact your System administrator."

Cause 1: The SAML 2.0 integration between the Oracle Identity Cloud Service G Suite app and G Suite is deactivated or the administrator has revoked the user's access to G Suite.

Solution 1:

• Access the Oracle Identity Cloud Service administration console, select Applications, and then G Suite.
• Click Activate, and then click Activate Application. Oracle Identity Cloud Service displays a confirmation message.

Cause 2: The administrator revokes access for the user at the same time that the user tries to access the G Suite app using Oracle Identity Cloud Service.

Solution 2: Access the Oracle Identity Cloud Service administration console, select Applications, G Suite, Users, and then click Assign to re-assign the user.

Unknown Issues

For unknown issues, contact Oracle Support:

1. Go to https://support.oracle.com.

2. Select Cloud Support, and then sign in with your support credentials.

3. In the Cloud Dashboard, confirm that there are no planned outages in Oracle Identity Cloud Service, and then click Create Service Request.

4. Select Oracle Identity Cloud Service as the service type.

5. Complete your service request.