Google IMAP / Foxpass password delegation

This describes how to set up Foxpass to delegate password verification to Google via IMAP.

🚧

This endpoint has been deprecated by Google

Please follow the instructions to delegate authentication via Google's LDAP endpoint here.

Google will disable access to this endpoint for Workspace and Cloud Identity Users at an unannounced date.

Set Google as your Delegated Authentication type

Go to the Foxpass 'Authentication Settings' page. Scroll down to "Password authentication delegation." Choose Google from the dropdown menu and click "Save." Make sure that you've enabled less secure app access from your Google account and that 2FA is turned off. If 2FA needs to be enabled for a specific user or set of users, you can exempt them from delegated authentication and they can use a Foxpass password instead.

📘

Note

Due to a limitation in Google's IMAP endpoint, users cannot have Google's 2FA turned on and enable delegated authentication. We recommend using the Google LDAP delegation (which bypasses 2FA during authentication), or keep 2FA on and keep a separate Foxpass password. You can also use our password sync feature described below.

October 30th 2019 Update

As of October 30th 2019, Google password delegation with Foxpass will work a little differently. As detailed in Google's blog post, Google is removing the capability for admins to enable the IMAP endpoint (used for Less Secure Apps) for their entire organization. Instead, users will have to individually enable IMAP (or Less Secure Apps) for their account. Any user who is currently has the feature enabled will continue to do so, but Google may disable the feature after a period of inactivity from that user. In order to utilize Google as an authentication mechanism for Foxpass, you have a few options:

  1. Have new users enable Less Secure Apps individually using this link
  2. Have users utilize an App Password to access any Foxpass integrations. This can only be used with Less Secure Apps enabled or MFA enabled for an account. Users can create an App Password by following these instructions
  3. Switch your delegated authentication mechanism to use Google's LDAP endpoint. This can be used even with Less Secure Apps disabled and MFA enabled. You can read instructions on how to do that here: Google LDAP / Foxpass password delegation. Note: this may require an additional Google license.
  4. Have users set their password in Foxpass, and configure Foxpass to push password changes into Google as detailed below.

Push Foxpass Passwords into Google

Enabling this feature will push any Foxpass password changes into G so users have one password across all services. All Google logins will continue to work with 2FA turned on.

To set up password sync, go to the Foxpass 'Authentication Settings' page. Scroll down to "Push passwords to Google." Select the 'Yes' option from the dropdown and click the button to give Foxpass permissions to set a user's password.