Google Workspace Set up

To use Google Splice, we will require a service account, an admin email, and a certificate to use service account. If these are not already set up, use the below guidelines to set these up.

Prerequisites

  1. Access to Google API developer console and project- to create the service account, create necessary keys and provide domain wide delegation to service account.

  2. Admin email address

The Admin users personal Drives might show up in IDHub. It is recommended that the admin user provided in application.properties not have any personal drive or files.

The google admin account should not be an day to day user.

Navigate to https://drive.google.com/drive/my-drive  and login with the Admin Email address and verify there are no folders or files in admin drive that you do not want to show up in IDHub.

Google API - One time configuration

This step covers creating service account, certificate and providing domain wide permission for service account. Reference - https://developers.google.com/identity/protocols/oauth2/service-account#delegatingauthority

Enable APIs on Google Workspace

Reference - https://support.google.com/googleapi/answer/6158841?hl=en

To enable an API for your project:

  1. Go to the API Console.

  2. From the projects list, select a project or create a new one.

  3. If the APIs & services page isn't already open, open the console left side menu and select APIs & services.

  4. Then select Library.

  5. Click the Admin SDK API . If you need help finding the API, use the search field. Click ENABLE

  6. Perform the above steps on Google Drive API

Ensure API Enabled check box is selected next to ‘TRY THIS API’ button

Create service account

Service account keys could pose a security risk if compromised. Delete and Create new keys (.p12 certificate) for service account every month to mitigate this risk.

  1. Navigate to https://console.developers.google.com/apis/credentials .

    1. Login with Admin credentials

    2. Select the correct project from the drop down menu next to (Google Cloud Platform)

  2. Click on '+ CREATE CREDENTIALS'

    1. select 'Service Account' from the drop down menu.

    2. Provide a name (e.g: idhub-scim) and description to your Service Account

    3. Note the complete Email address.

    4. Click on 'DONE'

  3. Refresh the page if your newly created service account does not show up instantly on the credentials page.

  4. Click on the pencil icon next to the Service Account to edit it.

    1. Now Click on 'SHOW DOMAIN-WIDE DELEGATION'

    2. Check the box for 'Enable Google Workspace Domain-wide Delegation'

    3. Click 'Save'.

    4. A Client ID will show up. Copy this ID.

  5. Navigate to Permissions tab and add the admin user as Owner

Generate service account certificate

  1. Click on Keys tab in the service account.

    1. Click on ‘ADD KEY', then 'Create new key’

    2. Select P12 format

    3. Click 'CREATE'

    4. When the pop up for file opens up, select 'Save File' and save it to a location on you computer.

    5. Note the private key password

  2. Rename the downloaded p12 file as desired and store the secret in a secure store.

  3. Transfer the certificate to the server where IDHub Connector for google will be installed.

  4. Copy the complete path of the certificate to use it in properties file.

Configure Domain wide delegation for service account

  1. Navigate to https://admin.google.com  on a new tab/window

  2. Go to Main menu > Security > API Controls.

  3. In the Domain wide delegation pane, select Manage Domain Wide Delegation.

    1. Click Add new.

    2. In the Client ID field, enter the service account's Client ID.

    3. In the OAuth scopes (comma-delimited) field, enter the below list of scopes. (6 scopes)

      https://www.googleapis.com/auth/admin.directory.user,https://www.googleapis.com/auth/admin.directory.group,https://www.googleapis.com/auth/drive,https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/admin.directory.group.readonly,https://www.googleapis.com/auth/drive.readonly
      NONE
    4. Click Authorize.

e. Click on View Details and verify the below scopes are added.

After these configurations are completed. The P12 certificate will allow Splice to interact with Google and use the above defined scopes to access User, Drive, Groups.

IDHub Splice Configuration and Deployment

Prerequisites

  1. JRE 16 OR JDK 16 installed

  2. IDHub Google-Connector deliverable package with libraries

How does the deliverable look

  1. IDHub Connector Application.jar

  2. application.properties

  3. lib

    • google-splice.jar

    • google splice dependencies

      • google-api-services-admin-directory-directory_v1-rev53-1.20.0.jar

      • google-api-services-drive-v3-rev197-1.25.0.jar

      • google-oauth-client-jetty-1.23.0.jar

      • google-api-client-gson-1.23.1.jar

      • google-http-client-1.23.0.jar

      • google-http-client-gson-1.23.0.jar

      • google-http-client-jackson2-1.23.0.jar

      • google-oauth-client-1.23.0.jar

      • google-oauth-client-java6-1.23.0.jar

      • google-api-client-1.23.1.jar

  4. .p12 certificate (Generated in Google for the service-account access. Follow steps in ‘Google Workspace Set up’ to generate if not available)

Configuration

Update the application.properties (Note: These are splice properties ONLY)

#IDHUB Connector application properties will be added first
    
#Splice properties
server:
    port: <port number to host this connector on>
app:
    name: <Name of the application while sending requests to Google>
    description: <Short description of the application>
    owner:
        business: <Business owner for the application>
        it: <IT Owner for the applciation>
google:
    domain: iamsath.com
    admin:
        email: admin@iamsath.com
    service:
        account: <Email address of your service account>
    certificate:
        path: <Path of the .p12 secrets file>
    default:
        org:
            path: <Organization unit path to create new users>
YAML

If you do not have the values for google.* in the configuration file above, follow the below ‘Google Workspace Set up’ section to set this up.

Run

Run the Connector Application with Splice in lib