Account
IDHub Account will map to User in Google WorkSpace.
Google Schema
Expand to view google schema
{
"primaryEmail": "liz@example.com",
"name": {
"givenName": "Elizabeth",
"familyName": "Smith"
},
"suspended": false,
"password": "new user password",
"hashFunction": "SHA-1",
"changePasswordAtNextLogin": false,
"ipWhitelisted": false,
"ims": [
{
"type": "work",
"protocol": "gtalk",
"im": "liz_im@talk.example.com",
"primary": true
}
],
"emails": [
{
"address": "liz@example.com",
"type": "home",
"customType": "",
"primary": true
}
],
"addresses": [
{
"type": "work",
"customType": "",
"streetAddress": "1600 Amphitheatre Parkway",
"locality": "Mountain View",
"region": "CA",
"postalCode": "94043"
}
],
"externalIds": [
{
"value": "12345",
"type": "custom",
"customType": "employee"
}
],
"relations": [
{
"value": "Mom",
"type": "mother",
"customType": ""
},
{
"value": "manager",
"type": "referred_by",
"customType": ""
}
],
"organizations": [
{
"name": "Google Inc.",
"title": "SWE",
"primary": true,
"type": "work",
"description": "Software engineer"
}
],
"phones": [
{
"value": "+1 nnn nnn nnnn",
"type": "work"
}
],
"orgUnitPath": "/corp/engineering",
"includeInGlobalAddressList": true
}
CODE
Splice Account Schema Representation
{
"schemas" : [
"urn:ietf:params:scim:schemas:core:2.0:Schema"
],
"id" : "urn:sath:params:scim:api:google:1.0:Account",
"name" : "Account",
"description" : "To create / update google accounts",
"attributes" : [
{
"name" : "country",
"multiValued" : false,
"description" : "The country in which the user is located.",
"idhubFieldName" : "officeAddressCountry"
},
{
"name" : "displayName",
"multiValued" : false,
"description" : "The fullName/displayName of the user. REQUIRED.",
"mutability" : "readOnly",
"returned" : "always",
"required" : true,
"idhubFieldName" : "displayName"
},
{
"name" : "entitlements",
"multiValued" : true,
"description" : "The entitlements of the user. Updated by PATCH Only.",
"caseExact" : true
},
{
"name" : "externalId",
"multiValued" : false,
"description" : "A String that is an identifier for the resource as defined by the provisioning client. The \"externalId\" may simplify identification of a resource between the provisioning client and the service provider by allowing the client to use a filter to locate the resource with an identifier from the provisioning domain, obviating the need to store a local mapping between the provisioning domain's identifier of the resource and the identifier used by the service provider. Each resource MAY include a non-empty \"externalId\" value. The value of the \"externalId\" attribute is always issued by the provisioning client and MUST NOT be specified by the service provider. The service provider MUST always interpret the externalId as scoped to the provisioning domain. While the server does not enforce uniqueness, it is assumed that the value's uniqueness is controlled by the client setting the value. See Section 9 for additional considerations regarding privacy. This attribute has \"caseExact\" as \"true\" and a mutability of \"readWrite\". This attribute is OPTIONAL.\n",
"mutability" : "readOnly",
"returned" : "always",
"caseExact" : true
},
{
"name" : "familyName",
"multiValued" : false,
"description" : "The lastName/familyName of the user. REQUIRED.",
"returned" : "always",
"required" : true,
"idhubFieldName" : "lastName"
},
{
"name" : "givenName",
"multiValued" : false,
"description" : "The firstName/givenName of the user. REQUIRED.",
"returned" : "always",
"required" : true,
"idhubFieldName" : "firstName"
},
{
"name" : "id",
"multiValued" : false,
"description" : "The unique ID for the user. A user id can be used as a user request URI's userKey. REQUIRED.",
"mutability" : "readOnly",
"returned" : "always",
"required" : true
},
{
"name" : "locality",
"multiValued" : false,
"description" : "The town or city in which the user is located.",
"idhubFieldName" : "officeAddressCity"
},
{
"name" : "meta",
"multiValued" : false,
"description" : "A complex attribute containing resource metadata.",
"mutability" : "readOnly",
"subAttributes" : [
{
"name" : "resourceType",
"multiValued" : false,
"description" : "The name of the resource type of the resource.",
"mutability" : "readOnly",
"caseExact" : true
},
{
"name" : "created",
"multiValued" : false,
"type" : "dateTime",
"description" : "The \"DateTime\" that the resource was added to the service provider."
},
{
"name" : "lastModified",
"multiValued" : false,
"type" : "dateTime",
"description" : "The most recent DateTime that the details of this resource were updated at the service provider. If this resource has never been modified since its initial creation, the value MUST be the same as the value of \"created\"."
},
{
"name" : "location",
"multiValued" : false,
"description" : "The name of the resource type of the resource.",
"mutability" : "readOnly",
"caseExact" : true
},
{
"name" : "version",
"multiValued" : false,
"description" : "The version of the resource being returned. This value must be the same as the entity-tag (ETag) HTTP response header (see Sections 2.1 and 2.3 of [RFC7232]). This attribute has \"caseExact\" as \"true\". Service provider support for this attribute is optional and subject to the service provider's support for versioning (see Section 3.14 of [RFC7644]). If a service provider provides \"version\" (entity-tag) for a representation and the generation of that entity-tag does not satisfy all of the characteristics of a strong validator (see Section 2.1 of [RFC7232]), then the origin server MUST mark the \"version\" (entity-tag) as weak by prefixing its opaque value with \"W/\" (case sensitive).",
"mutability" : "readOnly",
"caseExact" : true
}
]
},
{
"name" : "orgUnitPath",
"multiValued" : false,
"description" : "The full path of the parent organization associated with the user. If the parent organization is the top-level, it is represented as a forward slash (/).",
"mutability" : "readOnly"
},
{
"name" : "phoneNumber",
"multiValued" : false,
"description" : "A list of the user's phone numbers. The maximum allowed data size is 1Kb.",
"returned" : "request",
"canonicalValues" : [
"$REGEX ^\\+[1-9]\\d{1,14}$"
],
"idhubFieldName" : "phoneNumber"
},
{
"name" : "poBox",
"multiValued" : false,
"description" : "The post office box in which the user is located, if present."
},
{
"name" : "postalCode",
"multiValued" : false,
"description" : "The ZIP or postal code in which the user is located, if applicable.",
"idhubFieldName" : "officeAddressPostal"
},
{
"name" : "primaryEmail",
"multiValued" : false,
"description" : "The user's primary email address. This property is required in a request to create a user account. The primaryEmail must be unique and cannot be an alias of another user. REQUIRED.",
"returned" : "always",
"uniqueness" : "global",
"required" : true,
"idhubFieldName" : "email"
},
{
"name" : "recoveryEmail",
"multiValued" : false,
"description" : "Recovery email of the user.",
"returned" : "request"
},
{
"name" : "recoveryPhone",
"multiValued" : false,
"description" : "Recovery phone of the user. The phone number must be in the E.164 format, starting with the plus sign (+). ",
"returned" : "request",
"canonicalValues" : [
"$REGEX ^\\+[1-9]\\d{1,14}$"
]
},
{
"name" : "schemas",
"multiValued" : true,
"description" : "The \"schemas\" attribute is a REQUIRED attribute and is an array of Strings containing URIs that are used to indicate the namespaces of the SCIM schemas that define the attributes present in the current JSON structure. This attribute may be used by parsers to define the attributes present in the JSON structure that is the body to an HTTP request or response. Each String value must be a unique URI. All representations of SCIM schemas MUST include a non-empty array with value(s) of the URIs supported by that representation. The \"schemas\" attribute for a resource MUST only contain values defined as \"schema\" and \"schemaExtensions\" for the resource's defined \"resourceType\". Duplicate values MUST NOT be included. Value order is not specified and MUST NOT impact behavior.",
"mutability" : "readOnly",
"returned" : "always",
"caseExact" : true,
"required" : true
},
{
"name" : "secondaryEmail",
"multiValued" : false,
"description" : "The user's secondary email address. OPTIONAL.",
"returned" : "request"
},
{
"name" : "streetAddress",
"multiValued" : false,
"description" : "The street address in which the user is located, such as 1600 Amphitheatre Parkway. Whitespace within the string is ignored; however, newlines are significant.",
"idhubFieldName" : "officeAddressLine1"
},
{
"name" : "temporaryPassword",
"multiValued" : false,
"description" : "The temporaryPassword of the user. Returned for Creation Only.",
"mutability" : "readOnly",
"caseExact" : true
},
{
"name" : "thumbnailPhotoUrl",
"multiValued" : false,
"description" : "Photo Url of the user",
"mutability" : "readOnly",
"returned" : "request"
}
]
}
JSON
Resource Type
{
"schemas" : [
"urn:ietf:params:scim:schemas:core:2.0:ResourceType"
],
"id" : "Account",
"name" : "Account",
"description" : "This resource creates/modifies/deletes accounts in Google Workspace and returns your query to you in some form depending on the normal format of the endpoint (Resource or ListResponse).",
"endpoint" : "Accounts",
"schema" : "urn:sath:params:scim:api:google:1.0:Account"
}
JSON
Implementation
The following methods of the target system connector interface defined in the connector SPI needs to be implemented for Account and Entitlement resources
Create Resource
JAVA
|
Update Resource
JAVA
|
Patch Resource
JAVA
|
Delete Resource
JAVA
|
Get Resource
JAVA
|
Search Resource
JAVA
|
<Future scope> -
Complete implementation of Search
Design get user with membership to be more efficient (maybe cache results or find different API)
Risks
Due to how we retrieve Entitlements everytime, we run into risk of reaching API limits.
https://developers.google.com/admin-sdk/directory/v1/limits
References
https://developers.google.com/admin-sdk/directory/reference/rest/v1/users