Common configuration for Google Workspace - Directory API

This document describes how to setup the Google Directory User API to allow Fortified ID products to perform CRUD operations. It also describes how to fetch custom attribute for mappings.

Prerequisite

  • Google Workspace administration rights.

Update the Google Workspace configuration

Setup API for user lookup

  • Login to Google Workspace admin console (https://admin.google.com) as an administrator for your domain

  • Create a new project. Name the project UserApiLookupsFor<Customer>. (Replace <Customer> with a customer identifier. Can be any string.) Leave the rest with default valiues.

  • Open (select) the newly created project

  • Select Enabled APIs & services

  • Click + Enable APIS and services

  • Search for Admin SDK API

  • Select Admin SDK API

  • Click Enable

  • Click on Admin SDK API

  • Click Credentials

  • Click Manage Service Accounts

  • Click +Create Service Account

  • Enter a name, userapi. Create

  • Click on the newly created Service Account

  • Click Keys

  • Click Add key -> Create new key

  • Select p12 format

  • Copy the private key password

  • Rename the downloaded p12 file to google_jwt_signer.p12

  • Place the p12 file on the Integrity Web / Password reset / Forms server (depending on your use case). Remove the file from your client.

  • Copy the service account email adress value (for example [email protected])

  • Open the admin console (https://admin.google.com)

  • Navigate to Account->Admin roles

  • Click Assign Admin in the row representing the role User Management Admin

  • Click Assign Service account

  • Enter the service account email address

  • Click ADD

Fetch the schema and custom attribute

  • From the admin console, navigate to Directory->Users

  • Select More options->Manage custom attributes

  • Find the schema and attribute name for the social security number (or add a new custom attribute for that purpose). In the example below, the schema name is FortifiedID and the attribute name is personnummer.

  • (Store the social security number on the user objects, if it hasn't been provisioned already)

Update the configuration to map to your environment

Integrity Web

(This step is only required if the use case involves Integrity Web. If not, please skip this step).

Place the file google_jwt_signer.p12 in the folder customer/config/resources_internal/certificates/Google/. (Replace if a file already exists)

Open the file customer/config/globals.json. Change according to the instructions below.

  1. google

Set the proper values for your environment.

Set domain to your Google DNS domain.

Set serviceaccount to the value fetched in previous step.

Set custom_attribute to schema.attribute_name fetched in previous step.

Example:

"google": {
            "domain": "fortifiedid.se",
            "serviceaccount": "[email protected]",
            "custom_attribute": "FortifiedID.personnummer"
        },
  1. keystore->google

Change the passwords (ssl_keystore_password and ssl_key_password) to the private key password fetched in previous step.

Example:

"google": {
            "ssl_keystore_path": "${globals.file_path.base_dir}/config/resources_internal/certificates/Google/google_jwt_signer.p12",
            "ssl_keystore_password": "Summer2022rr3",
            "ssl_key_alias": "privatekey",
            "ssl_key_password": "Summer2022rr3"
        }

Password reset

(This step is only required if the use case involves Password Reset. If not, please skip this step).

Place the file google_jwt_signer.p12 in the folder customer/config/resources_internal/certificates/Google/. (Replace if a file already exists)

Open the file customer/config/globals.json. Change according to the instructions below.

  1. google

Set the proper values for your environment.

Set serviceaccount to the value fetched in previous step.

Example:

"google": {
            "serviceaccount": "[email protected]"
        },
  1. keystore->google

Change the passwords (ssl_keystore_password and ssl_key_password) to the private key password fetched in previous step.

Example:

"google": {
            "ssl_keystore_path": "${globals.file_path.base_dir}/config/resources_internal/certificates/Google/google_jwt_signer.p12",
            "ssl_keystore_password": "Summer2022rr3",
            "ssl_key_alias": "privatekey",
            "ssl_key_password": "Summer2022rr3"
        }

Forms

(This step is only required if the use case involves Forms. If not, please skip this step).

Place the file google_jwt_signer.p12 in the folder customer/config/resources_internal/certificates/Google/. (Replace if a file already exists)

Open the file customer/config/globals.json. Change according to the instructions below.

  1. google

Set the proper values for your environment.

Set domain to your Google DNS domain.

Set serviceaccount to the value fetched in previous step.

Set mapping_attribute to the google directory api attribute that connects the delegated admin with the users the admin should be able to manage. Please view this Google documentation for more info about attribute names.

Set custom_schema_name to schema fetched in previous step.

Set custom_update_structure to match what should be sent to the Google API. Change the schema name and attribute names to match your environment.

Example:

"google": {
        "domain": "fortifiedid.se",
        "serviceaccount": "[email protected]",
        "mapping_attribute": "orgDepartment",
        "custom_schema_name" : "FortifiedID",
        "custom_update_structure": {
            "customSchemas": {
                "FortifiedID": {
                    "mlsman1": "{{{request.malsman1}}}",
                    "mlsman2": "{{{request.malsman2}}}"
                }
            }
        }
    },
  1. keystore->google

Change the passwords (ssl_keystore_password and ssl_key_password) to the private key password fetched in previous step.

Example:

"google": {
            "ssl_keystore_path": "${globals.file_path.base_dir}/config/resources_internal/certificates/Google/google_jwt_signer.p12",
            "ssl_keystore_password": "Summer2022rr3",
            "ssl_key_alias": "privatekey",
            "ssl_key_password": "Summer2022rr3"
        }

Save the file.

Last updated