Syncing External Google Accounts

Overview

Schools using Google Apps for Education/Non-Profits can enable single sign-on (SSO) — part of the extra-cost Google Authentication module — so that their constituents with Google user accounts can use those credentials to sign into Veracross services (Axiom, Portals, etc.). Veracross never sees a user’s Google password at any point of the login process.

End User Experience

If at least one user at your school has a Google account, your initial login page displays only a username field, not a password. The single field does not break password managers, so LastPass, 1Password, etc., continue to work as normal for non-Google account users.

  • Upon entering a username with an associated Google account, a second window appears with a familiar Google login screen.
  • If you have multiple Google accounts (e.g., a personal one and a school one), pick the school one (or more precisely, the one that is mapped to the user account in Veracross).
    • If you select your personal Gmail and enter the correct password, you will see an error message because you were logged into Google, but not to Veracross.

If you are already logged into Google (with your school account) in your browser and navigate to a Veracross page, the login page will send you to Veracross, bypassing the need to enter a password.

Impersonation

Impersonation works the same way as it does when impersonating non-Google accounts: If you have permission to impersonate someone you still can, regardless of whether they or you have a Google account

Viewing Google Account Information

If your school has purchased Google account integration, a link to “Google Accounts” is displayed on the Identity & Access Management homepage. Read more about the Identity & Access Management homepage.

Tip: It is recommended (but not required) to use the email address for the username if syncing with Google.

Google Accounts Query on the Identity & Access Management Homepage

Information about each Google account is displayed in the query result. Click “Security Admin” to view the security admin detail screen.

Person Account Detail Screen

The General and External Accounts tabs contain information relevant to syncing external Google accounts.

General Tab

Account Section:

  • Username: It is recommended (but not required) to use the email address for the username if syncing with Google. The username field is mapped, not synced, so this can be updated as needed.
  • Account Status: Read more about managing user account statuses.
  • MFA Status: A field multi-factor authentication is provided to accommodate a future security release when this will be updated in Veracross. Leave status “disabled.”
  • Change Password: Since Veracross does not access the Google password, it is not possible to change it from within Veracross.
  • Security Roles: See a list of the user’s security roles.

Person Section:

  • Person-related information is displayed here. Click the box/arrow icon next to the person’s name to open their person record.

History:

  • View last login date, welcome email date, MFA enrollment date (feature forthcoming), and password change date.
  • Times are all local.
  • The last login date excludes impersonated logins.

External Accounts Tab

On the External Accounts tab are listed any accounts associated with the user. The information is included on the General tab for reference, as well.

Managing Accounts

Accounts can be created one at a time by clicking “Add Record…” on an account detail screen, but you will likely want to create them in batch.

Creating Accounts in Batch

To create accounts that will be synced with Google:

  1. Navigate to the Identity & Access Management (or System) homepage and click the “Security Roles” query.
  2. Click the relevant security role (e.g., Staff_1 or Faculty_1).
  3. On the security role detail screen:
    1. Ensure the username convention is correct (email address recommended).
    2. Click the Action menu and select “Create External Google Accounts.”

Running the Action menu item:

  • creates accounts for all users with the given security role
  • flips account status to “enabled” if it was “account setup needed” or “password expired”
  • does not enable accounts if they were disabled

Repeat the above steps for each security role as needed. A user cannot have more than one external account of a given type (e.g., not more than one Google account).

Tips and Best Practices

  • As always, testing is recommended before rolling out a major change across your organization. Create external Google accounts for a small group of users first and ensure that they can log in as expected.
  • If you plan for your users to log into other web-based platforms (e.g., Finalsite) using their Google credentials, you will need to configure Google authentication with those platforms directly.
print

Related Articles