Google Workspace Set up

To use the Google connector, a service account, an admin email, and a certificate to use the service account are all required. If these are not already set up, use the below guidelines to set these up.

Prerequisites

  1. Access to Google API developer console and project- to create the service account, create necessary keys and provide domain wide delegation to service account.

  2. Admin email address

The Admin users personal Drives might show up in IDHub. It is recommended that the admin user provided in application.properties not have any personal drive or files.

The google admin account should not be an day to day user.

Navigate to https://drive.google.com/drive/my-drive  and login with the Admin Email address and verify there are no folders or files in admin drive that you do not want to show up in IDHub.

Google API configuration

This step covers creating service account, certificate and providing domain wide permission for service account. Reference - https://developers.google.com/identity/protocols/oauth2/service-account#delegatingauthority

Enable APIs on Google Workspace

Reference - https://support.google.com/googleapi/answer/6158841?hl=en

To enable an API for your project:

  1. Go to the API Console.

  2. From the projects list, select a project or create a new one.

  3. If the APIs & services page isn't already open, open the console left side menu and select APIs & services.

  4. Then select Library.

  5. Click the Admin SDK API . If you need help finding the API, use the search field. Click ENABLE

  6. Perform the above steps on Google Drive API

Ensure API Enabled check box is selected next to ‘TRY THIS API’ button

Create service account

Service account keys could pose a security risk if compromised. Delete and Create new keys (.p12 certificate) for service account every month to mitigate this risk.

  1. Navigate to https://console.developers.google.com/apis/credentials .

    1. Login with Admin credentials

    2. Select the correct project from the drop down menu next to (Google Cloud Platform)

  2. Click on '+ CREATE CREDENTIALS'

    1. select 'Service Account' from the drop down menu.

    2. Provide a name (e.g: idhub-scim) and description to your Service Account

    3. Note the complete Email address.

    4. Click on 'DONE'

  3. Refresh the page if your newly created service account does not show up instantly on the credentials page.

  4. Click on the pencil icon next to the Service Account to edit it.

    1. Now Click on 'SHOW DOMAIN-WIDE DELEGATION'

    2. Check the box for 'Enable Google Workspace Domain-wide Delegation'

    3. Click 'Save'.

    4. A Client ID will show up. Copy this ID.

  5. Navigate to Permissions tab and add the admin user as Owner

Generate service account certificate

  1. Click on Keys tab in the service account.

    1. Click on ‘ADD KEY', then 'Create new key’

    2. Select P12 format

    3. Click 'CREATE'

    4. When the pop up for file opens up, select 'Save File' and save it to a location on you computer.

    5. Note the private key password

  2. Rename the downloaded p12 file as desired and store the secret in a secure store.

  3. Transfer the certificate to the server where IDHub Connector for google will be installed.

  4. Copy the complete path of the certificate to use it in properties file.

Configure Domain wide delegation for service account

  1. Navigate to https://admin.google.com  on a new tab/window

  2. Go to Main menu > Security > API Controls.

  3. In the Domain wide delegation pane, select Manage Domain Wide Delegation.

    1. Click Add new.

    2. In the Client ID field, enter the service account's Client ID.

    3. In the OAuth scopes (comma-delimited) field, enter the below list of scopes. (6 scopes)

      https://www.googleapis.com/auth/admin.directory.user,https://www.googleapis.com/auth/admin.directory.group,https://www.googleapis.com/auth/drive,https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/admin.directory.group.readonly,https://www.googleapis.com/auth/drive.readonly
      NONE
    4. Click Authorize.

e. Click on View Details and verify the below scopes are added.

After these configurations are completed. The P12 certificate will allow the Google connector to interact with Google and use the above defined scopes to access User, Drive and Groups.

Configuration

Prerequisites

  • Keycloak Client ID, Service Account User and Password.

  • Service Account Certificate

Steps

  1. Go to - https://bitbucket.org/sath-inc/google-workspace-splice/src/master/ and click on “Run Pipeline”.

  2. Set the following option as mentioned below.

    1. Branch - Choose which branch to deploy; In case you just want to test the connector, use ‘master’ branch.

    2. Pipeline - ‘custom: deploy-connector’

    3. Variables - Set your own variable values.

    4. Click “Run”.

3. If everything is successful, you should get the Service URL from the last second step of the pipeline. See picture below.