Configure Google Directory

Learn how to set up Google Directory in the Cloud Identity Engine for user identification and security policy enforcement.
When you configure your Google Directory in the Cloud Identity Engine, the Cloud Identity Engine can access your Google Directory information to identify users and enforce security policy.
  1. If you have not already done so, activate the Cloud Identity Engine.
  2. Grant the necessary administrator rights in the Google Admin console for the Cloud Identity Engine.
    1. In the Google Admin console, select
      Admin roles
    2. Select a role then click
    3. Select the following privileges then
      your changes:
      • Admin console privileges
        • Organizational Units > Read
        • Users > Read
        • Services > Mobile Device Management > Manage Devices and Settings
        • Services > Chrome Management > Settings > Manage Chrome OS > Devices > Manage Chrome OS Devices (read only)
        • Domain Settings
      • Admin API privileges
        • Organization Units > Read
        • Users > Read
        • Groups > Read
        • Domain Management
  3. Log in to the Google Admin console and configure the Cloud Identity Engine app in the Google Admin console.
    1. Select
      API controls
      and click
      Manage Third-Party App Access
    2. Select
      Configure new app
      OAuth App Name Or Client ID
    3. Enter
      Palo Alto Networks Cloud Identity Engine Directory Sync
      and click
    4. Select the Palo Alto Networks Cloud Identity Engine Directory Sync app.
    5. Select the
      OAuth Client ID
      option if it is not already selected then click
    6. Select
      Trusted: Can access all Google services
      as the
      App access
      option then
      the app.
  4. Collect the necessary information from the Google Admin console to configure Google Directory in the Cloud Identity Engine.
    1. Select
      Account Settings
    2. Copy the
      Customer ID
      and store it in a secure location.
  5. In the Cloud Identity Engine app, select
    Add Directory
  6. Set Up
    Cloud Directory
    and select
  7. Enter your
    Customer ID
    that you copied in Step 4.
  8. Sign in to Google
    by entering the Google Admin credentials for the account associated with the Customer ID.
    When the login is successful,
    Signed In
  9. Click
    Test Connection
    to verify your configuration.
    When the test is successful,
  10. (Optional) Customize the name the Cloud Identity Engine displays for your Google Directory.
    By default, the Cloud Identity Engine uses the default domain name.
  11. Submit
    the configuration.
    When the configuration is submitted successfully, the Cloud Identity Engine displays the Directories page.
    You can now use information from your Google Directory in the Cloud Identity Engine when you configure a user- or group-based security policy rule or with other Palo Alto Networks applications.

Recommended For You