Password Synchronization with G-Suite

Prerequisite

Steps to enable API access in G-Suite

1. Go to Google Admin console
2. Logon using your G-Suite Administrator account
3. Create a new project named ADSelfService Plus
4. In the left pane, click the Library link. Under the G-Suite APIs, locate Admin SDK and turn it on.
5. In the left pane, click the Credentials link
6. In the right hand side, click the Create Credentials button and select Service Account Key.
7. Click the drop-box under Service account and select New service account.
8. Enter a name for the service account and provide the role of Project owner for the service account.
9. Select the Key type as P12 and click Create. You will now receive a P12 file. Save this file to your computer and click Close.
10. Click on the Manage service accounts link.
11. Click on the options against the service account that you created and select Edit.
12. Mark the checkbox against Enable G-Suite Domain-wide Delegation, enter a name in the Product name for the consent screen text box and click Save.
13. Click on the View Client ID link under the options column and copy the value against the client ID field.
14. The service account email is the one that is mentioned in the Service account field.
15. Grant domain-wide authority to this Service Account, using the steps mentioned below.

Delegate domain-wide authority to your service account

The service account that you created needs to be granted access to the G-Suite domain's user data that you want to access. The following tasks have to be performed by an administrator of the G-Suite domain.

1. Go to your Google domain's Admin console.
2. Select Security from the list of controls.
3. Select Advanced settings from the list of options.
4. Select Manage API client access in the Authentication section.
5. In the Client name field enter the service account's Client ID that you have copied earlier.

6. In the One or More API Scopes field, enter the list of scopes that your application should be granted access to. For example, if you need domain-wide access to Users, Groups, and Organizational Units, enter:
   https://www.googleapis.com/auth/admin.directory.user,
   https://www.googleapis.com/auth/admin.directory.group,
   https://www.googleapis.com/auth/admin.directory.orgunit

7. Click the Authorize button.

Your service account now has domain-wide access to the Google Admin SDK Directory API for all the users of your domain.

Steps to configure G-Suite with ADSelfService Plus

1. Log into ADSelfService Plus admin console with admin credentials.
2. Navigate to Configuration → Self-Service → Password Sync/ Single Sign On.
3. Select the G-Suite application.
   Note: You can also find G-Suite application that you need from the search bar located in the left pane or the alphabet wise navigation option in the right pane.
4. Enter the Application Name and Description.
5. Enter the Domain name (e.g.: adselfserviceplus.com) of your G-Suite domain.
6. In the Assign Policies field, select the policies for which password sync need to be enabled.
   Note:ADSelfService Plus allows you to create OU and group-based policies for your AD domains. To create a policy, go to Configuration → Self-Service → Policy Configuration → Add New Policy.
7. Select Enable Password Sync.
8. Enter the User Name (e.g.: demo@adselfserviceplus.com) of G-Suite admin account.
9. Enter the Service Account Email (e.g.: 428499212222-9csoom2llko9292ro21rhm411214lkrh@developer.gserviceaccount.com) which was created in the previous step, from G-Suite.
10. Select the relevant P12 Key File of G-Suite admin account.
11. Click Add Application.