1. The Google connector contains 3 files as mentioned below. Transfer these files to the server where the connector needs to be deployed:

  • google-splice-<version>-with-connector-application<version>.jar

  • application.yml

  • .p12 certificate (Generated in Google for the service-account access. Follow steps in ‘Google Workspace Set up’ to generate if not available)

2. Create a directory for the Google connector in /apps. For example, in the instructions below a directory named google_connector is created in /apps

cd /apps
mkdir google_connector
CODE

3. Copy the 2 files mentioned in step 1 in to the google_connector directory created in step 2

Google Workspace Set up

To use the Google connector, a service account, an admin email, and a certificate to use the service account are all required. If these are not already set up, use the below guidelines to set these up.

Prerequisites

  1. Access to Google API developer console and project- to create the service account, create necessary keys and provide domain wide delegation to service account.

  2. Admin email address

The Admin users personal Drives might show up in IDHub. It is recommended that the admin user provided in application.properties not have any personal drive or files.

The google admin account should not be an day to day user.

Navigate to https://drive.google.com/drive/my-drive  and login with the Admin Email address and verify there are no folders or files in admin drive that you do not want to show up in IDHub.

Google API configuration

This step covers creating service account, certificate and providing domain wide permission for service account. Reference - https://developers.google.com/identity/protocols/oauth2/service-account#delegatingauthority

Enable APIs on Google Workspace

Reference - https://support.google.com/googleapi/answer/6158841?hl=en

To enable an API for your project:

  1. Go to the API Console.

  2. From the projects list, select a project or create a new one.

  3. If the APIs & services page isn't already open, open the console left side menu and select APIs & services.

  4. Then select Library.

  5. Click the Admin SDK API . If you need help finding the API, use the search field. Click ENABLE

  6. Perform the above steps on Google Drive API

Ensure API Enabled check box is selected next to ‘TRY THIS API’ button

Create service account

Service account keys could pose a security risk if compromised. Delete and Create new keys (.p12 certificate) for service account every month to mitigate this risk.

  1. Navigate to https://console.developers.google.com/apis/credentials .

    1. Login with Admin credentials

    2. Select the correct project from the drop down menu next to (Google Cloud Platform)

  2. Click on '+ CREATE CREDENTIALS'

    1. select 'Service Account' from the drop down menu.

    2. Provide a name (e.g: idhub-scim) and description to your Service Account

    3. Note the complete Email address.

    4. Click on 'DONE'

  3. Refresh the page if your newly created service account does not show up instantly on the credentials page.

  4. Click on the pencil icon next to the Service Account to edit it.

    1. Now Click on 'SHOW DOMAIN-WIDE DELEGATION'

    2. Check the box for 'Enable Google Workspace Domain-wide Delegation'

    3. Click 'Save'.

    4. A Client ID will show up. Copy this ID.

  5. Navigate to Permissions tab and add the admin user as Owner

Generate service account certificate

  1. Click on Keys tab in the service account.

    1. Click on ‘ADD KEY', then 'Create new key’

    2. Select P12 format

    3. Click 'CREATE'

    4. When the pop up for file opens up, select 'Save File' and save it to a location on you computer.

    5. Note the private key password

  2. Rename the downloaded p12 file as desired and store the secret in a secure store.

  3. Transfer the certificate to the server where IDHub Connector for google will be installed.

  4. Copy the complete path of the certificate to use it in properties file.

Configure Domain wide delegation for service account

  1. Navigate to https://admin.google.com  on a new tab/window

  2. Go to Main menu > Security > API Controls.

  3. In the Domain wide delegation pane, select Manage Domain Wide Delegation.

    1. Click Add new.

    2. In the Client ID field, enter the service account's Client ID.

    3. In the OAuth scopes (comma-delimited) field, enter the below list of scopes. (6 scopes)

      https://www.googleapis.com/auth/admin.directory.user,https://www.googleapis.com/auth/admin.directory.group,https://www.googleapis.com/auth/drive,https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/admin.directory.group.readonly,https://www.googleapis.com/auth/drive.readonly
      NONE
    4. Click Authorize.

e. Click on View Details and verify the below scopes are added.

After these configurations are completed. The P12 certificate will allow the Google connector to interact with Google and use the above defined scopes to access User, Drive and Groups.

Configuration

Prerequisites

  1. JRE 16 OR JDK 16 installed

  2. Google Connector

Steps

1.Update all the Google workspace related properties obtained after setting up the Google workspace as explained in the section above, in the configuration file application.yml

2. Continue to edit the configuration file, application.yml as per the table below

Field Name

Field Description

jwk-set-uri

 certs URL. For example, https://<dev7.iamsath.com>/auth/realms/IDHub/protocol/openid-connect/certs. Replace <> with the name of the server where the connector is deployed, rest remains the same

idhub.hostname

The hostname /IP of IDHUB application

idhub.realm

Tenant / Keyclock realm name

idhub.clientId

The client ID of client under idhub.realm of Keyclock

idhub.secret

Password for client Id

idhub.accessToken

 

Follow this document to generate access and refresh tokens

 

idhub.refreshToken

idhub.test

Set to false

app.name

Name of the applicatioon

app.description

Application description

app.businessOwner

Name of the business owner of the application

app.itOwner

Name of the IT owner of the application

server.port

Port on which the Google connector application will run. See this to set up reverse proxy.

The application.yml file should look like this after making all the changes

Run

Run the connector either from the command line or as a service.

a. To run from the command line.

For example, to run the google connector jar in the background and redirect the output to nohup.out.

cd /apps/google_connector
nohup java -jar google-splice-1.0.0-with-connector-application-2.1.5.jar & > nohup.out
CODE

 

b. To run the connector as a service, follow the steps here