Common configuration for Google Workspace - Directory API
This document describes how to setup the Google Directory User API to allow Fortified ID products to perform CRUD operations. It also describes how to fetch custom attribute for mappings.
Prerequisite
Google Workspace administration rights.
Update the Google Workspace configuration
Setup API for user lookup
Login to Google Workspace admin console (https://admin.google.com) as an administrator for your domain
Open the API console (https://console.developers.google.com)
Create a new project. Name the project UserApiLookupsFor<Customer>. (Replace <Customer> with a customer identifier. Can be any string.) Leave the rest with default valiues.
Open (select) the newly created project
Select Enabled APIs & services
Click + Enable APIS and services
Search for Admin SDK API
Select Admin SDK API
Click Enable
Click on Admin SDK API
Click Credentials
Click Manage Service Accounts
Click +Create Service Account
Enter a name, userapi. Create
Click on the newly created Service Account
Click Keys
Click Add key -> Create new key
Select p12 format
Copy the private key password
Rename the downloaded p12 file to google_jwt_signer.p12
Place the p12 file on the Integrity Web / Password reset / Forms server (depending on your use case). Remove the file from your client.
Copy the service account email adress value (for example [email protected])
Open the admin console (https://admin.google.com)
Navigate to Account->Admin roles
Click Assign Admin in the row representing the role User Management Admin
Click Assign Service account
Enter the service account email address
Click ADD
Fetch the schema and custom attribute
From the admin console, navigate to Directory->Users
Select More options->Manage custom attributes
Find the schema and attribute name for the social security number (or add a new custom attribute for that purpose). In the example below, the schema name is FortifiedID and the attribute name is personnummer.
(Store the social security number on the user objects, if it hasn't been provisioned already)
Update the configuration to map to your environment
Integrity Web
(This step is only required if the use case involves Integrity Web. If not, please skip this step).
Place the file google_jwt_signer.p12 in the folder customer/config/resources_internal/certificates/Google/. (Replace if a file already exists)
Open the file customer/config/globals.json. Change according to the instructions below.
google
Set the proper values for your environment.
Set domain to your Google DNS domain.
Set serviceaccount to the value fetched in previous step.
Set custom_attribute to schema.attribute_name fetched in previous step.
Example:
"google": {
"domain": "fortifiedid.se",
"serviceaccount": "[email protected]",
"custom_attribute": "FortifiedID.personnummer"
},keystore->google
Change the passwords (ssl_keystore_password and ssl_key_password) to the private key password fetched in previous step.
Example:
"google": {
"ssl_keystore_path": "${globals.file_path.base_dir}/config/resources_internal/certificates/Google/google_jwt_signer.p12",
"ssl_keystore_password": "Summer2022rr3",
"ssl_key_alias": "privatekey",
"ssl_key_password": "Summer2022rr3"
}Password reset
(This step is only required if the use case involves Password Reset. If not, please skip this step).
Place the file google_jwt_signer.p12 in the folder customer/config/resources_internal/certificates/Google/. (Replace if a file already exists)
Open the file customer/config/globals.json. Change according to the instructions below.
google
Set the proper values for your environment.
Set serviceaccount to the value fetched in previous step.
Example:
"google": {
"serviceaccount": "[email protected]"
},keystore->google
Change the passwords (ssl_keystore_password and ssl_key_password) to the private key password fetched in previous step.
Example:
"google": {
"ssl_keystore_path": "${globals.file_path.base_dir}/config/resources_internal/certificates/Google/google_jwt_signer.p12",
"ssl_keystore_password": "Summer2022rr3",
"ssl_key_alias": "privatekey",
"ssl_key_password": "Summer2022rr3"
}Forms
(This step is only required if the use case involves Forms. If not, please skip this step).
Place the file google_jwt_signer.p12 in the folder customer/config/resources_internal/certificates/Google/. (Replace if a file already exists)
Open the file customer/config/globals.json. Change according to the instructions below.
google
Set the proper values for your environment.
Set domain to your Google DNS domain.
Set serviceaccount to the value fetched in previous step.
Set mapping_attribute to the google directory api attribute that connects the delegated admin with the users the admin should be able to manage. Please view this Google documentation for more info about attribute names.
Set custom_schema_name to schema fetched in previous step.
Set custom_update_structure to match what should be sent to the Google API. Change the schema name and attribute names to match your environment.
Example:
"google": {
"domain": "fortifiedid.se",
"serviceaccount": "[email protected]",
"mapping_attribute": "orgDepartment",
"custom_schema_name" : "FortifiedID",
"custom_update_structure": {
"customSchemas": {
"FortifiedID": {
"mlsman1": "{{{request.malsman1}}}",
"mlsman2": "{{{request.malsman2}}}"
}
}
}
},keystore->google
Change the passwords (ssl_keystore_password and ssl_key_password) to the private key password fetched in previous step.
Example:
"google": {
"ssl_keystore_path": "${globals.file_path.base_dir}/config/resources_internal/certificates/Google/google_jwt_signer.p12",
"ssl_keystore_password": "Summer2022rr3",
"ssl_key_alias": "privatekey",
"ssl_key_password": "Summer2022rr3"
}Save the file.
Last updated