The Google connector contains 3 files as mentioned below. Transfer these files to the server where the connector needs to be deployed:
.p12 certificate (Generated in Google for the service-account access. Follow steps in ‘Google Workspace Set up’ to generate if not available)
2. Create a directory for the Google connector in /apps. For example, in the instructions below a directory named google_connector is created in /apps
cd /apps mkdir google_connector
3. Copy the 2 files mentioned in step 1 in to the google_connector directory created in step 2
Google Workspace Set up
To use the Google connector, a service account, an admin email, and a certificate to use the service account are all required. If these are not already set up, use the below guidelines to set these up.
Access to Google API developer console and project- to create the service account, create necessary keys and provide domain wide delegation to service account.
Admin email address
The Admin users personal Drives might show up in IDHub. It is recommended that the admin user provided in application.properties not have any personal drive or files.
The google admin account should not be an day to day user.
Navigate to https://drive.google.com/drive/my-drive and login with the Admin Email address and verify there are no folders or files in admin drive that you do not want to show up in IDHub.
Google API configuration
This step covers creating service account, certificate and providing domain wide permission for service account. Reference - https://developers.google.com/identity/protocols/oauth2/service-account#delegatingauthority
Enable APIs on Google Workspace
To enable an API for your project:
Go to the API Console.
From the projects list, select a project or create a new one.
If the APIs & services page isn't already open, open the console left side menu and select APIs & services.
Then select Library.
Click the Admin SDK API . If you need help finding the API, use the search field. Click ENABLE
Perform the above steps on Google Drive API
Ensure API Enabled check box is selected next to ‘TRY THIS API’ button
Create service account
Service account keys could pose a security risk if compromised. Delete and Create new keys (.p12 certificate) for service account every month to mitigate this risk.
Navigate to https://console.developers.google.com/apis/credentials .
Login with Admin credentials
Select the correct project from the drop down menu next to (Google Cloud Platform)
Click on '+ CREATE CREDENTIALS'
select 'Service Account' from the drop down menu.
Provide a name (e.g: idhub-scim) and description to your Service Account
Note the complete Email address.
Click on 'DONE'
Refresh the page if your newly created service account does not show up instantly on the credentials page.
Click on the pencil icon next to the Service Account to edit it.
Now Click on 'SHOW DOMAIN-WIDE DELEGATION'
Check the box for 'Enable Google Workspace Domain-wide Delegation'
A Client ID will show up. Copy this ID.
Navigate to Permissions tab and add the admin user as Owner
Generate service account certificate
Click on Keys tab in the service account.
Click on ‘ADD KEY', then 'Create new key’
Select P12 format
When the pop up for file opens up, select 'Save File' and save it to a location on you computer.
Note the private key password
Rename the downloaded p12 file as desired and store the secret in a secure store.
Transfer the certificate to the server where IDHub Connector for google will be installed.
Copy the complete path of the certificate to use it in properties file.
Configure Domain wide delegation for service account
Navigate to https://admin.google.com on a new tab/window
Go to Main menu > Security > API Controls.
In the Domain wide delegation pane, select Manage Domain Wide Delegation.
Click Add new.
In the Client ID field, enter the service account's Client ID.
In the OAuth scopes (comma-delimited) field, enter the below list of scopes. (6 scopes)
e. Click on View Details and verify the below scopes are added.
After these configurations are completed. The P12 certificate will allow the Google connector to interact with Google and use the above defined scopes to access User, Drive and Groups.
JRE 16 OR JDK 16 installed
1.Update all the Google workspace related properties obtained after setting up the Google workspace as explained in the section above, in the configuration file application.yml
2. Continue to edit the configuration file, application.yml as per the table below
certs URL. For example, https://<dev7.iamsath.com>/auth/realms/IDHub/protocol/openid-connect/certs. Replace <> with the name of the server where the connector is deployed, rest remains the same
The hostname /IP of IDHUB application
Tenant / Keyclock realm name
The client ID of client under idhub.realm of Keyclock
Password for client Id
Follow this document to generate access and refresh tokens
Set to false
Name of the applicatioon
Name of the business owner of the application
Name of the IT owner of the application
Port on which the Google connector application will run. See this to set up reverse proxy.
The application.yml file should look like this after making all the changes
Run the connector either from the command line or as a service.
a. To run from the command line.
For example, to run the google connector jar in the background and redirect the output to nohup.out.
cd /apps/google_connector nohup java -jar google-splice-1.0.0-with-connector-application-2.1.5.jar & > nohup.out
b. To run the connector as a service, follow the steps here