Google Identity Sync

An Identity Provider (IdP) vouches for the identity of a person through the use of an authentication token. Virtual Appliance uses IdP for several things, including logging in to the Admin Console and portals, deploying printers, releasing print jobs, and more.

If you use an IdP, the Control Panel Application (CPA) only supports badge and PIN authentication.

Configure Connection

To add and configure app properties for the Virtual Appliance connection do the following:

  1. Add IdP Template.
  2. Create Authentication Project.
    1. Configure OAuth Consent.
    2. OAuth 2.0 Credentials - Desktop Client.
    3. OAuth 2.0 Credentials - Server.
  3. Create Provisioning Project.
    1. Enable Admin SDK API Service.
    2. OAuth Consent Screen Provisioning.
    3. OAuth 2.0 Credentials Provisioning.
  4. Enable Google Identity Sync Service.
  5. Verify Provisioned Users.
  6. Add Virtual Appliance Admins.

Prerequisites

Before you start the setup for Google Identity Sync with OIDC, you must configure a Service Client to use the Identity Sync Service.

1. Add IdP Template

If the IdP Settings page does not look like the image shown below, you may not be using the latest version and should contact Product Support to upgrade your IdP settings.

  1. Log into the Virtual Appliance Admin Console.
  2. Select Tools then Settings then General.
  3. Scroll down to Identity Provider Settings and select the IdP tab.
  4. Select Add.
  5. Under IdP Template select Google.
  6. Under AUTHENTICATION PROTOCOL select OIDC.
  7. Under PROVISIONING check the box for Google Identity Sync.
  8. Under Name enter a name you wish to use to identify the IdP (This name appears on the login button for end users).
  9. Under Discovery Endpoint enter the following URL:

    Copy Code
    https://accounts.google.com/.well-known/openid-configuration
  10. Check the boxes for Enable for End User Login and / or Enable for Admin Login as needed.

    Leave this window open as it will be needed for later steps.

IdP Settings pop-up showing the following selections, Google as the template, OIDC as the authentication method, Google Identity Sync as the provisioning method, completed Name field, Disovery Endpoint value added, and the enable options for end-users and admins are enabled.

2. Create Authentication Project

  1. Open a separate browser tab or window and navigate to https://console.cloud.google.com.
  2. Log in using your Google Administrator account.
  3. Select the project drop-down from the top navigation bar.
  4. Select NEW PROJECT.
  5. Enter a Project name (e.g. Authentication), and ensure the Organization and Location are set correctly.
  6. Select Create.
  7. Select SELECT PROJECT under the project notification, or select the new project from the Projects drop-down.

    Google Portal with arrows pointing to the Project drop-down and the expanded Notification with the project name and Select Project option.

Google portal with an arrow pointing to the Project dropdown in the upper left, and an arrow pointing to the New Project option in the Project's pop-up.

Configure OAuth Consent

  1. In the left menu select APIs & Services, then select OAuth consent screen.
  2. Select Internal then select CREATE.
  3. Enter an App name (This name will appear on the end user's authentication screen).
  4. Enter a User support email (This email will be presented on the end user's authentication screen as the contact for consent questions).
  5. Scroll down to the Authorized domains section and select + ADD DOMAIN.
  6. Enter the domain of your Virtual Appliance.
  7. Under Developer contact information enter the email addresses of the people that should receive notifications from Google regarding any changes to the project, then select SAVE AND CONTINUE.
  8. Configure any necessary scopes, if any, then select SAVE AND CONTINUE.
  9. Review the OAuth consent screen configurations, then select BACK TO DASHBOARD.

Google portal with the navigation menu showing, the APIs and Services option expanded, and an arrow pointing to the sub-option for OAuth consent screen.

OAuth 2.0 Credentials - Desktop Client

  1. Select Credentials in the left-side menu.
  2. At the top of the page select +CREATE CREDENTIALS then select OAuth client ID.
  3. In the Application type drop-down menu select Desktop app.
  4. Enter a Name for the OAuth credentials (This name identifies the credentials in the Google API console and isn't displayed to end users).
  5. Select CREATE.
  6. In the OAuth client created modal, copy the ID under Your Client ID and paste it into the Admin Console IdP Settings Client Id for Clients field.
  7. In the OAuth client created modal, copy the secret under Your Client Secret and paste it into the Admin Console IdP Settings Client Secret for Clients field.
  8. Return to the Google API console and select OK to close the OAuth client created modal.

OAuth Client Created pop-up showing the values for the Your Client ID and Your Client Secret.

OAuth 2.0 Credentials - Server

  1. At the top of the page select + CREATE CREDENTIALS then select OAuth client ID.
  2. In the Application type drop-down menu select Web application.
  3. Enter a Name for the OAuth credentials (This name identifies the credentials in the Google API console and isn't displayed to end users).
  4. In Google's Authorized redirect URIs section select + ADD URI.
  5. Copy the SSO URL from the Admin Console IdP Settings window and paste it into the Google URIs 1 field.
  6. In Google's Authorized redirect URIs section select + ADD URI.
  7. Copy the Mobile SSO URL from the Admin Console IdP Settings window and paste it into the Google URIs 2 field.
  8. In Google's Authorized redirect URIs section select + ADD URI.
  9. Copy and paste the following into the URIs 3 field:

    Copy Code
    https://llhfdhidddepenjnklbngmapjohlbekh.chromiumapp.org/
  10. Select CREATE.
  11. In the OAuth client created modal, copy the ID under Your Client ID and paste it into the Admin Console IdP Settings Client Id for Server field.
  12. In the OAuth client created modal, copy the secret under Your Client Secret and paste it into the Admin Console IdP Settings Client Secret for Server field.
  13. Return to the Google API console and select OK to close the OAuth client created modal.

OAuth Client Created pop-up showing the values for the Your Client ID and Your Client Secret.

3. Create Provisioning Project

  1. In the Google API console's top navigation bar select the project drop-down menu.
  2. Select NEW PROJECT.
  3. Enter a Project name (e.g. Provisioning), and ensure the Organization and Location are set correctly.
  4. Select Create.
  5. Select SELECT PROJECT under the project notification, or select the new project from the Projects drop-down.

    Google Portal with arrows pointing to the Project drop-down and the expanded Notification with the project name and Select Project option.

Google portal with an arrow pointing to the Project dropdown in the upper left, and an arrow pointing to the New Project option in the Project's pop-up.

Enable Admin SDK API Service

  1. In the Google API console, ensure you have the provisioning project selected.
  2. In the left menu select Enabled APIs & Services.
  3. At the top of the page select + ENABLE APIS AND SERVICES.
  4. Search for Admin SDK API then select it.
  5. Select ENABLE.

Search window showing the Admin SDK results.

OAuth Consent Screen - Provisioning

  1. In the left menu select OAuth consent screen.
  2. Select Internal then select CREATE.
  3. Enter an App name (This name appears on the end user's authentication screen).
  4. Enter a User support email (This email will be presented on the end user's authentication screen as the contact for consent questions).
  5. Scroll down to the Authorized domains section and select + ADD DOMAIN.
  6. Enter the domain of your Virtual Appliance.
  7. Under Developer contact information enter the email addresses of the people that should receive notifications from Google regarding any changes to the project.
  8. Select SAVE AND CONTINUE.
  9. Configure any necessary scopes, if any, then select SAVE AND CONTINUE.
  10. Review the OAuth consent screen configurations, then select BACK TO DASHBOARD.

App Registration window showing the fields for the App name and user support email.

OAuth 2.0 Credentials - Provisioning

  1. On the left menu select Credentials.
  2. At the top of the page select +CREATE CREDENTIALS then select OAuth client ID.
  3. In the Application type drop-down menu select Desktop app.
  4. Enter a Name for the OAuth credentials (This name identifies the credentials in the Google API console and isn't displayed to end users).
  5. Select CREATE.
  6. In the OAuth client created modal, copy the ID under Your Client ID and paste it into the Admin Console IdP Settings Provisioning Client Id field.
  7. In the OAuth client created modal, copy the secret under Your Client Secret and paste it into the Admin Console IdP Settings Provisioning Client Secret field.
  8. Select Apply, then select Save in the Admin Console.
  9. Return to the Google API console and select OK to close the OAuth client created modal.

OAuth Client Created pop-up showing the values for the Your Client ID and Your Client Secret.

4. Enable Google Identity Sync Service

There are a few options for authorizing Virtual Appliance access to your Google directory. Recommended - Option A can be completed directly from a browser and Recommended - Option B requires starting a local server that can echo incoming requests. There is also an alternative option if the above options are not acceptable.

Option A (Recommended)

  1. In the Virtual Appliance Admin Console, select Back to tree view.
  2. Select the Service Client object in the tree, then select the Identity Sync tab.
  3. Check the box for Enable Google Identity Sync, then select Save.
  4. Select the Authorize button.
  5. Log in with your Google Administrator account and select Allow on the permission options.
  6. A browser page will load that says “This site can’t be reached”, or something similar depending on your browser. This is normal. In the URL bar on that page, copy the one-time use authorization code value found between “code=” and “&scope.”

    Browser URL bar showing the code portion highlighted.

  7. Return to the Admin Console, and paste this code in the Identity Sync's Authorization Code field.
  8. Select Save.

Option B (Use Local Server)

  1. Start a local server that can echo the incoming requests.
    1. For Mac, run the following command in a terminal:

    Copy Code
    nc -k -l 444

    The command uses the [NetCat] utility, which can be downloaded here: http://netcat.sourceforge.net/. However, you can use the utility of your choice.

    1. For Windows, run the following command in a Command Prompt:
    Copy Code
    ncat -k -l 4444
  2. The command uses the [NCat Portable] utility, which can be downloaded here: https://github.com/cyberisltd/NcatPortable . However, you can use the utility of your choice.

  1. After running the above command, the local server will starting listening for incoming requests in the Terminal or Command Prompt.
  2. Return to the Admin Console, and select Back to tree view.
  3. Select the Service Client object in the tree, then select the Identity Sync tab.
  4. Check the box for Enable Google Identity Sync, then select Save.
  5. Select the Authorize button.
  6. Log in with your Google Administrator account.
  7. Select Allow on the permission options.
  8. A response will be echoed in the Terminal (Mac) or Command Prompt (Windows). In the GET request, copy the one-time use authorization code between “code=” and “&scope.”

    Terminal window showing the command has been run, and the State equals value is highlighted.

  9. Return to the Admin Console, and paste this code in the Identity Sync's Authorization Code field.
  10. Select Save.

Alternative Option (Windows)

This method should only be used if the Option A / B methods above are not feasible in your environment.

  1. In the Admin Console, select Back to tree view.
  2. Select the Service Client object in the tree, then select the Identity Sync tab.
  3. Check the box for Enable Google Identity Sync, then select Save.
  4. Now select the Authorize button.
  5. Navigate back to the open browser window for the Google API console, or log into the Google API console in a new browser window.
  6. Select the project that was created for provisioning.
  7. Select APIs & Services then Credentials.
  8. Under OAuth 2.0 Client IDs, select the download icon to the far right of the credentials.
  9. Rename the downloaded JSON file to google_credentials.
  10. Move the google_credentials.json file to: C:\ProgramData\PrinterLogic\PrinterLogicServiceIdentitySync\credentials.
  11. Verify that the service-identity-sync directory has been created in C:\Program Files (x86)\Printer Properties Pro\Printer Installer Client.

    If the service-identity-sync directory does not exist, please verify that your Service Client service is running. This can be done by opening the Task Manager and verifying that the PrinterLogicServiceManager.exe service is running.

  12. Return to the Admin Console on the Service Client then Identity Sync tab, uncheck Google Identity Sync to disable the service, then select Save.

    This step is important. We want to make sure that the identity-sync service is disabled BEFORE we authorize with Google so that users don’t start provisioning until we complete some later steps.
  13. Open a Command Prompt as Administrator, and enter the following command, then press Enter:

    Copy Code
    cd C:\Program Files (x86)\Printer Properties Pro\Printer Installer Client\service-identity-sync\bin
  14. Still in the Command Prompt, enter the following command, then press Enter:

    Copy Code
     PrinterLogicServiceIdentitySync.exe google-authorize
  15. In the browser tab that opens, log in with your Google Administrator account.
  16. Select Allow.
  17. Return to C:\ProgramData\PrinterLogic\PrinterLogicServiceIdentitySync\credentials in the file explorer, and verify that a pickle file was created.
  18. In the \credentials directory, create a new folder (if it doesn't already exist), and name it as the <IdP Id/ GUID> that was assigned to the Google IdP in Tools then Settings then General (See the example image below). The directory path will be C:\ProgramData\PrinterLogic\PrinterLogicServiceIdentitySync\credentials\<your_GUID_here>.

    IdP Settings window with a File explorer window open to the credentials directory, with the folder name being the same value in the sso URL.

  19. Move the pickle file into the GUID directory.
  20. In the Admin Console, select the Service Client object.
  21. Select the Identity Sync tab.
  22. Check Enable Google Identity Sync.
  23. Select Save.

Alternative Option (Mac)

This method should only be used if the Option A / B methods above are not feasible in your environment.

  1. In the Admin Console, select the Service Client object in the tree structure.
  2. Select the Identity Sync tab.
  3. Check Enable Google Identity Sync box, then select Save.
  4. In a new browser tab, log into the Google API console.
  5. Select the project that was created for provisioning.
  6. Select APIs & Services then Credentials.
  7. Under OAuth 2.0 Client IDs, select the download icon on the far right of the credentials.
  8. Rename the downloaded JSON file to google_credentials.
  9. Move the google_credentials.json file to: /Library/Application Support/PrinterLogicServiceIdentitySync/credentials
  10. Verify that the identity-sync-service directory has been created in /opt/PrinterInstallerClient/service_interface

    If the service-identity-sync directory does not exist, please verify that your Service Client service is running. This can be done by opening the Activity Monitor and verifying that the PrinterLogicServiceManager.exe service is running.

  11. Return to the Admin Console on the Service Client then Identity Sync tab, uncheck Google Identity Sync to disable the service, then select Save.

    This step is important. We want to make sure that the identity-sync service is disabled BEFORE we authorize with Google so that users don’t start provisioning until we complete some later steps.
  12. Open a Terminal as Administrator, and enter the following command, then press Enter:

    Copy Code
    cd ~/opt/PrinterInstallerClient/service_interface/service-identity-sync/bin
  13. Still in the Terminal, enter the following command, then press Enter:

    Copy Code
     PrinterLogicServiceIdentitySync.exe google-authorize
  14. In the browser tab that opens, log in with your Google Administrator account.
  15. Select Allow.
  16. Return to /Library/Application Support/PrinterLogicServiceIdentitySync/credentials and verify that a pickle file was created.
  17. In the \credentials directory, create a new folder (if it doesn't already exist), and name it as the <IdP Id/ GUID> that was assigned to the Google IdP in Tools then Settings then General (See the example image below). The directory path will be /Library/Application Support/PrinterLogicServiceIdentitySync/credentials/<your_GUID_here>.

    IdP Settings window with a File explorer window open to the credentials directory, with the folder name being the same value in the sso URL.

  18. Move the pickle file into the GUID directory.
  19. In the Admin Console, select the Service Client object.
  20. Select the Identity Sync tab.
  21. Check Enable Google Identity Sync.
  22. Select Save.

5. Verify Provisioned Users

  1. In the Admin Console select Tools then Identity Management.

    If the Multiple IdP feature is NOT enabled for your instance, the menu option will be Tools then Identities.

  2. Verify users have provisioned

    Depending on how many users exist in the IdP directory, provisioning can take several minutes to several hours.

6. Add Virtual Appliance Admins

For steps on assigning users and roles to the Virtual Appliance Admin Console reference Admin Console Users.