Follow this procedure to set up Google G Suite as a target system.
This system is available for standalone tenants running on SAP Cloud Identity infrastructure and SAP BTP, Neo environment. Bundle tenants running on SAP Cloud Identity Services infrastructure and Neo environment can use it only through SAP Identity Access Governance bundle option.
-
Sign in to the Google API console (https://console.developers.google.com) and create a project.
-
Enable the Admin SDK. To do this, go to Dashboard > ENABLE API > Admin SDK > ENABLE.
-
Create a service account for your project. We recommend that you select Enable G Suite Domain-wide Delegation during the creation. If you skip this option, you can set it later. For more information, see Creating a service account.
-
Then, in the Google admin console (https://admin.google.com), a user with Super Admin role can delegate domain-wide authority to your service account. This way, it will have access to the Google Admin SDK on behalf of your user. For more information, see Delegating domain-wide authority.
When specifying the scopes, the administrator has to enter the following:
https://www.googleapis.com/auth/admin.directory.user, https://www.googleapis.com/auth/admin.directory.group
A Google service account with delegated domain-wide authority is required for authentication and authorization of the Identity Provisioning service to G Suite domain. The authentication is based on OAuth 2.0 protocol with JSON Web Token (JWT). The private key for the signature is distributed by Google via one-time downloadable JSON data, which is accessible by the domain administrator. The private key is encoded in PKCS8 format and is in the private_key field of the JSON data. For more information, see JSON Web Token (JWT).
- When using it as a source system, you can read both users and groups from Google G Suite and provision them to any target system you have added in the Identity Provisioning user interface.
- When using it as a target system, you can write both users and groups, read from any source system you have added in the Identity Provisioning user interface. Google G Suite can automatically create accounts for your users in the Google Cloud Datastore.
The Identity Provisioning service supports user and group operations based on the following Google Directory API. See the table below.
|
User Operations |
Group Operations |
|---|---|
You can only provision users whose e-mails are from verified domains.
If you have successfully finished with the initial setup (described in the Prerequisites section), continue with the procedure below.
-
Access the Identity Provisioning UI.
-
Sign in to the administration console of SAP Cloud Identity Services and navigate to Identity Provisioning > Target Systems.
-
Add Google G Suite as a target system. For more information, see Add New Systems.
-
Choose the Properties tab to configure the connection settings for your system.
If your tenant is running on SAP BTP, Neo environment, you can create a connectivity destination in your subaccount in the SAP BTP cockpit, and then select it from the Destination Name combo box in your Identity Provisioning User Interface.
If one and the same property exists both in the cockpit and in the Properties tab, the value set in the Properties tab is considered with higher priority.
We recommend that you use the Properties tab. Use a connectivity destination only if you need to reuse one and the same configuration for multiple provisioning systems.
Mandatory Properties
Property Name
Description & Value
TypeEnter: HTTP
URLSpecify the service URL:
https://www.googleapis.com/admin/directoryProxyTypeEnter:
InternetAuthenticationEnter: BasicAuthentication
The authentication type in use is actually OAuth with JWT. But for any provisioning system based on OAuth, BasicAuthentication is used along with the
OAuth2TokenServiceURLadditional property.UserEnter the service account’s ID. You can take it from the "client_email" field in the JSON data, downloaded during the setup of Google service account.
Password(Credential) Enter the service account’s private key, which represents a long string in PKCS8 format. You can take it from the "private key" field in the JSON data, downloaded during the setup of Google service account.
OAuth2TokenServiceURLTo make OAuth authentication to the Google G Suite system, enter the URL to the access token provider service. For more information, see Using OAuth 2.0 to Access Google APIs.
jwt.subjectEnter the Google G Suite user on behalf of which the Google Directory API is called. This user has been assigned the role User Management Admin.
This property corresponds to “sub” claim in JWT being generated during access token request: JWT: "sub" (Subject) Claim
(Optional)
jwt.scopeEnter space-separated Google Directory API authorization scopes. For example:
https://www.googleapis.com/auth/admin.directory.user(Optional)
ips.delete.threshold.groupsUse this property to control the number of groups to be deleted in a target system by defining a threshold. This will prevent you from accidentally deleting a huge number of groups, for example by adding a filter or condition.
For more information, see: List of Properties
(Optional)
ips.delete.threshold.usersUse this property to control the number of users to be deleted in a target system by defining a threshold. This will prevent you from accidentally deleting a huge number of users, for example by adding a filter or condition.
For more information, see: List of Properties
To learn what additional properties are relevant to this system, see List of Properties. You can use the main search, or filter properties by the Name or System Type columns.
Exemplary Configuration:
ProxyType=InternetType=HTTPAuthentication=BasicAuthenticationURL=https://www.googleapis.com/admin/directoryUser=[email protected]Password=-----BEGIN PRIVATE KEY-----\n123ABCDEFG123456789...… /123456789ABCDEFG123=\n-----END PRIVATE KEY-----\n
OAuth2TokenServiceURL=https://www.googleapis.com/oauth2/v4/tokenjwt.subject=[email protected]jwt.scope=https://www.googleapis.com/auth/admin.directory.user -
(Optional) Configure the transformations.
Transformations are used to map the user attributes from the data model of the source system to the data model of the target system, and the other way around. The Identity Provisioning offers a default transformation for the Google G Suite target system, whose settings are displayed under the Transformations tab after saving its initial configuration.
Transformation principles for the target system integration:
-
Mapping logic – The provisioning framework reads all attributes from the intermediate JSON data and tries to create consistent records in the Google G Suite target system, using all the available attributes accepted by the Google Directory API. When a required attribute is missing, the default transformation is designed with a condition that will exclude the inconsistent records. Bear in mind the following:
- Make sure that the JSON data sent by the source system is consistent with the configuration template of the target. For example, if the source system contains mandatory fields and the target one does not support such kind of data, then the target system skips these fields. This may cause crucial data loss.
- There is a special user status type called suspended (temporarily blocks a user without deleting any account data) for the Google directory accounts. When the status of the user account is changed to suspended, the Google Directory API will not accept any changes on the user attributes. Once the suspended user is restored by the administrator, all attribute changes pending for the account will be successfully provisioned with the next provisioning job.
An initial password setup is mandatory for all newly provisioned users. This is required by the Google G Suite API and must be provided when new accounts are created. The constant value that you see as configuration for the password attribute in the default transformation is generated by SAP. You have to change the constant value with another one, known only by the representatives of your company, before starting to use the Identity Provisioning service for creating users in your corporate Google G Suite system automatically.
-
User off-boarding – Identity Provisioning service is handling the deletion status of the users. When a user is deleted from the source system, this deletion will be enforced into the Google G Suite system as well.
You can change the default transformation mapping rules to reflect your current setup of entities in your Google G Suite. For more information, see:
Default transformation:
{ "user": { "condition": "($.emails.length() > 0) && ($.name.familyName EMPTY false)", "mappings": [ { "sourceVariable": "entityIdTargetSystem", "targetPath": "$.id" }, { "sourcePath": "$.name", "targetPath": "$.name" }, { "sourcePath": "$.emails[0].value", "targetPath": "$.primaryEmail" }, { "sourcePath": "$.phoneNumbers", "optional": true, "targetPath": "$.phones" }, { "targetPath": "$.password", "scope": "createEntity", "functions": [ { "type": "randomPassword", "passwordLength": 16, "minimumNumberOfLowercaseLetters": 1, "minimumNumberOfUppercaseLetters": 1, "minimumNumberOfDigits": 1, "minimumNumberOfSpecialSymbols": 0 } ] }, { "constant": "false", "targetPath": "$.suspended" }, { "condition": "$.active == false", "constant": true, "targetPath": "$.suspended" }, { "constant": "true", "targetPath": "$.changePasswordAtNextLogin" } ] }, "group": { "ignore": true, "mappings": [ { "constant": "urn:ietf:params:scim:schemas:core:2.0:Group", "targetPath": "$.schemas[0]" }, { "sourceVariable": "entityIdTargetSystem", "targetPath": "$.id" }, { "sourcePath": "$.displayName", "targetPath": "$.name" }, // Google G Suite requires a group e-mail. By default, the email attribute is mapped to displayName. If group's Display Name does not contain an e-mail, // you can either map email to another attribute, or concatenate displayName with your domain. To learn how, see the detailed explanation and example below. { "sourcePath": "$.displayName", "targetPath": "$.email", "scope": "createEntity" }, { "sourcePath": "$.members[?(@.type == 'User')].value", "preserveArrayWithSingleElement": true, "optional": true, "targetPath": "$.members[?(@.id)]", "functions": [ { "entityType": "user", "type": "resolveEntityIds" } ] } ] } }If the displayName attribute in the source system transformation does not provide group e-mails, you can modify the transformation the following ways:
-
Map email to another attribute that contains a unique group e-mail.
-
Concatenate the displayName attribute with your domain. For example:
{ "sourcePath": "$.displayName", "targetPath": "$.email", "scope": "createEntity", "functions": [ { "type": "concatString", "suffix": "@test.myaccount.ondemand.com" } ] }
-
-
Now, add a source system from which to read users and groups. Choose from: Source Systems
- Before starting a provisioning job, you can first subscribe for e-mail notifications from the source system you use in your scenario. This way, you will be notified by e-mail about eventual failed entities during the jobs. For more information, see Manage Job Notifications.
- Now, start an identity provisioning job. For more information, see Monitor Provisioning Job Logs.