Google Workspace Set up
To use Google Splice, we will require a service account, an admin email, and a certificate to use service account. If these are not already set up, use the below guidelines to set these up.
Access to Google API developer console and project- to create the service account, create necessary keys and provide domain wide delegation to service account.
Admin email address
The Admin users personal Drives might show up in IDHub. It is recommended that the admin user provided in application.properties not have any personal drive or files.
The google admin account should not be an day to day user.
Navigate to https://drive.google.com/drive/my-drive and login with the Admin Email address and verify there are no folders or files in admin drive that you do not want to show up in IDHub.
Google API - One time configuration
This step covers creating service account, certificate and providing domain wide permission for service account. Reference - https://developers.google.com/identity/protocols/oauth2/service-account#delegatingauthority
Enable APIs on Google Workspace
To enable an API for your project:
Go to the API Console.
From the projects list, select a project or create a new one.
If the APIs & services page isn't already open, open the console left side menu and select APIs & services.
Then select Library.
Click the Admin SDK API . If you need help finding the API, use the search field. Click ENABLE
Perform the above steps on Google Drive API
Ensure API Enabled check box is selected next to ‘TRY THIS API’ button
Create service account
Service account keys could pose a security risk if compromised. Delete and Create new keys (.p12 certificate) for service account every month to mitigate this risk.
Navigate to https://console.developers.google.com/apis/credentials .
Login with Admin credentials
Select the correct project from the drop down menu next to (Google Cloud Platform)
Click on '+ CREATE CREDENTIALS'
select 'Service Account' from the drop down menu.
Provide a name (e.g: idhub-scim) and description to your Service Account
Note the complete Email address.
Click on 'DONE'
Refresh the page if your newly created service account does not show up instantly on the credentials page.
Click on the pencil icon next to the Service Account to edit it.
Now Click on 'SHOW DOMAIN-WIDE DELEGATION'
Check the box for 'Enable Google Workspace Domain-wide Delegation'
A Client ID will show up. Copy this ID.
Navigate to Permissions tab and add the admin user as Owner
Generate service account certificate
Click on Keys tab in the service account.
Click on ‘ADD KEY', then 'Create new key’
Select P12 format
When the pop up for file opens up, select 'Save File' and save it to a location on you computer.
Note the private key password
Rename the downloaded p12 file as desired and store the secret in a secure store.
Transfer the certificate to the server where IDHub Connector for google will be installed.
Copy the complete path of the certificate to use it in properties file.
Configure Domain wide delegation for service account
Navigate to https://admin.google.com on a new tab/window
Go to Main menu > Security > API Controls.
In the Domain wide delegation pane, select Manage Domain Wide Delegation.
Click Add new.
In the Client ID field, enter the service account's Client ID.
In the OAuth scopes (comma-delimited) field, enter the below list of scopes. (6 scopes)
e. Click on View Details and verify the below scopes are added.
After these configurations are completed. The P12 certificate will allow Splice to interact with Google and use the above defined scopes to access User, Drive, Groups.
IDHub Splice Configuration and Deployment
JRE 16 OR JDK 16 installed
IDHub Google-Connector deliverable package with libraries
How does the deliverable look
IDHub Connector Application.jar
google splice dependencies
.p12 certificate (Generated in Google for the service-account access. Follow steps in ‘Google Workspace Set up’ to generate if not available)
Update the application.properties (Note: These are splice properties ONLY)
#IDHUB Connector application properties will be added first #Splice properties server: port: <port number to host this connector on> app: name: <Name of the application while sending requests to Google> description: <Short description of the application> owner: business: <Business owner for the application> it: <IT Owner for the applciation> google: domain: iamsath.com admin: email: firstname.lastname@example.org service: account: <Email address of your service account> certificate: path: <Path of the .p12 secrets file> default: org: path: <Organization unit path to create new users>
If you do not have the values for google.* in the configuration file above, follow the below ‘Google Workspace Set up’ section to set this up.
Run the Connector Application with Splice in lib