Google Cloud Platform
GCP connector is not available currently and is coming soon
About GCP Connector
This guide will elaborate on the GCP connector details. Here you would learn about the connector, configuration, and deployment information about connector. The GCP connector will let you create and onboard GCP applications in IDHub.
Connector Operations
| Operation | Supported? |
|---|---|
| User Management | - |
| Create user | Yes |
| Update user | Yes |
| Delete User | Yes |
| Enable user | Yes |
| Disable user | Yes |
| Change or Reset password | Yes |
| Add Child (Assign/Remove to a user account) | - |
| Add/Remove Nick Names | Yes |
| Entitlement Grant Management | - |
| Add/Remove Admin Role | Yes |
| Add/Remove Project Role | Yes |
| Add/Remove Organization Role | Yes |
| Add/Remove Group | Yes |
| Group Management | - |
| Add Group | Yes |
| Update Group | Yes |
| Remove Group | Yes |
Connector Components
The components of the connector include Connector Application, Connector Application Configuration, Connector Service Provider Interface, Splice, and Splice configuration.
These connector components include connectivity and configuration details specific to your target system. The connector uses information from these files allowing you to onboard your applications quickly and easily using only a single and simplified UI.
Connector Architecture
The connector architecture is basically composed of connector application, GCP SDK controller and target system splice. The target system splice takes care of the native communication with the target system using the GCP Specific connector SPI implementation. This architecture is followed and design as it enables for easy and rapid deployment of the connector as well as more precise versioning capabilities.
The connector is configured to run in one of the following modes:
- Target Resource reconciliation
- If you use the GCP application as the trusted source then in this case users are directly created and modified on IDHub. The GCP SDK extracts user records that match the reconciliation criteria, which brings the records to IDHub. Each user record fetched from the target system is compared with existing IDHub Users. If a match is found between the target system record and the IDHub User, then the User attributes are updated with changes made to the target system record. If no match is found, then the target system record is used to create an IDHub User.
- Account management
- This involves creating, updating, or deleting users on the target system through IDHub. During provisioning, the connector calls the target system GCP SDK for provisioning operations. The SDK on the target system accepts provisioning data, carries out the required operation on the target system, and returns the response from the target system back to IDHub. Apps can use the GCP SDK to perform create, read, update, and delete (CRUD) operations on the target system.
We follow this basic architecture in the connector development. If there are any enhancements or additional specifications or configurations, that would be the connector customization part, so that would be handled accordingly by IDHub team as per your specific business requirement.
Connector Features
Full Reconciliation and Incremental Reconciliation
You can perform full reconciliation to bring all existing user data from the target system to IDHub. After the first full reconciliation run, you can configure your connector for incremental reconciliation if the target system contains an attribute that holds the timestamp at which an object is created or modified.
Limited Reconciliation
You can reconcile records from the target system based on a specified filter criterion. To limit or filter the records that are fetched into IDHub during a reconciliation run, you can specify the subset of added or modified target system records that must be reconciled. You can set a condition based on which the reconciliation would be performed.
Batched Reconciliation
You can break down a reconciliation run into batches by specifying the number of records that must be included in each batch.
The current version of the connector do not support incremental recon & batched recon and will be supported in the future release version of the connector.
Connection Pooling
A connection pool is a cache of objects that represent physical connections to the target. IDHub connectors can use these connections to communicate with target systems.
At run time, the application requests a connection from the pool. If a connection is available, then the connector uses it and then returns it to the pool. A connection returned to the pool can again be requested for and used by the connector for another operation. By enabling the reuse of connections, the connection pool helps reduce connection creation overheads like network latency, memory allocation, and authentication.
One connection pool is created for each set basic configuration parameters that you provide while creating an application. For example, if you have three applications for three installations of the target system, then three connection pools will be created, one for each target system installation.
Support for Connector Server
By using one or more connector servers, the connector architecture permits your application to communicate with externally deployed bundles. In other words, a connector server enables remote execution of an IDHub connector.
Support for Reconciliation of Account Status
Support for reconciliation of account status is one of the features where the connector fetches the status information during a reconciliation operation. During a reconciliation run, the connector can fetch status information along with the rest of the account data.
Reconciliation of Deleted Account Data
The Google Apps Target Resource User Delete Reconciliation task can be used to fetch details of deleted target system users. This information is used to revoke the corresponding Google Apps resources from IDHub.
Support for Connector Operations in Multiple Domains
The connector supports reconciliation and provisioning operations in multiple domains. By default, this connector supports reconciliation and provisioning operations within a single domain. However, you can configure the connector for performing connector operations in more than one domain by specifying a value for the supportMultipleDomain parameter in Advanced Settings.
Transformation and Validation of Account Data
You can configure transformation and validation of account data that is brought into or sent from IDHub during reconciliation and provisioning operations by writing Groovy scripts while creating your application.
Creating an Application by using the Connector
Prerequisites for creating the application using the connector
Create a project and register your client application with the Google Cloud Platform in Google Cloud Console .
Select APIs & Services, and then select Enabled APIs & services. Search for Admin SDK, Group Settings, Cloud Resource Manager, IAM (Identity and Access Management) API Services and enable them.
Select APIs & Services, and then select Credentials. Click Create Credentials to create a API key, an OAuth client ID, and a Service account.
- To create OAuth client ID, configure your consent screen. Click CONFIGURE CONSENT SCREEN, select the User Type as Internal, and then click Create.
- Enter the application name, user-supported email, and developer email address, and then click SAVE AND CONTINUE.
- Click ADD OR REMOVE SCOPES and add all the required scopes and then click SAVE AND CONTINUE to create an application.
- To create an OAuth client ID, choose the Application type as web application, enter the name, and then click CREATE. You will get a client ID and a client secret.
Open the service account created by you, note down the email ID. Click Create GCP Marketplace-compatible OAuth Client and select Continue and the copy the client ID.
Click the Keys tab, click ADD Key, and then click Create new key. Select the Key type as P12 and click Create. The Private key is downloaded to the local computer.
Specify the location of this Private key in the Service Account Private Key field when you perform the procedure
Add scopes and authorize the registered client application. To do so:
- Login to the Google Admin Console using the https://admin.google.com link with an account that has administrative privileges in the Google instance.
- Choose Security and click Access and data controls.
- Click API Controls and search for Domain-wide delegation option, and click MANAGE DOMAIN-WIDE DELEGATION.
- Click Add new next to API clients, enter the multi-digit Client Number that was provided during the Google Service Account creation.
- In the One or More API Scopes field, enter the scopes listed in the Google Applications Scope field. These scope values must be separated by commas, but ensure that the double quotes (") are removed.
- Click Authorize.
Once this is completed, the Test Application button will successfully run and connect to the Google Application instance.
Create a user account on the target system. The connector uses this account to connect to the target system during each connector operation. Post account creation, assign the Groups Admin and User Management Admin admin roles to the newly created account.
Enable access to various Google administrative APIs available in the Google Cloud Platform Business Domain. The administrative API allows you to manage user accounts and synchronizes Google Cloud Platform user accounts with your own user account
Enable external user access to groups in Google Cloud Platform. Perform this step only if you want external users to access groups in Google Cloud Platform.
Onboard the Application in IDHub
Click here for the detailed steps for onboarding the application to IDHub
Configuring the Connector
While creating a target or an authoritative application, you must configure connection-related parameters that the connector uses to connect to IDhub with your target system and perform connector operations. These are the connection-related parameters that IDHub requires to connect to an GCP application.
Basic Configuration of the Connector
| Parameter | Mandatory? | Description |
|---|---|---|
| Service Account ID | Yes | Enter the email address of the service account created. |
| Service Account User | Yes | Enter the user name of account that you created to log in to the client application. Sample value: admin@mydomain.com |
| Service Account Private Key | Yes | Enter the name and complete the path to the directory containing the private key Sample value: /scratch/34567890sdfghjk.p12 |
| Google Application Name | Yes | Enter the name of the project that was created as part of registering the client application. |
| Google Domain Name | Yes | Enter the name of your Google Cloud Platform Connector domain. Sample value: mydomain.com |
| GCP Project ID | Yes | Enter the name of Google Cloud Platform Project ID |
| Scope | Yes | Enter the scope of your client application. Default value:"https://www.googleapis.com/auth/cloud-platform", "https://www.googleapis.com/auth/admin.directory.user", "https://www.googleapis.com/auth/admin.directory.group", "https://www.googleapis.com/auth/admin.directory.group.member", "https://www.googleapis.com/auth/admin.directory.rolemanagement", "https://www.googleapis.com/auth/admin.directory.orgunit", "https://www.googleapis.com/auth/apps.groups.settings" |
| Connector Server Name | No | Enter the name of Connector Server IT resource, if you are using the Google Cloud Connector together with a Java Connector Server. |
| Proxy Host | No | Enter the proxy host name.This is useful when a connector must be used in the network protected by the web proxy. Check with your network administrator |
| Proxy Password | No | Enter the proxy password.This is useful when a connector must be used in the network protected by the web proxy. Check with your network administrator |
| Proxy Port | No | Enter the proxy port number.This is useful when a connector must be used in the network protected by the web proxy. Check with your network administrator for more information about proxy configuration. |
| Proxy Username | No | Enter the proxy user name.This is useful when a connector is to be used in the network protected by the web proxy. Check with your network administrator for more |
| GCP Organisation ID | Yes | Enter the unique ID of Google Cloud Platform “organization”. |
Advanced Settings Parameters
There are some advanced settings that you can configure in the connector.
These advanced settings are not supported in the current version of the connector & will be supported in the future release version of the connector.
| Parameter | Mandatory? | Description |
|---|---|---|
| Connector Name | Yes | This parameter holds the name of the connector class. Default value: org.identityconnectors.gcp.GCPConnector |
| Connector Package Name | Yes | This parameter holds the name of the connector bundle package. Default value: org.identityconnectors.gcp |
| Connector Package Version | Yes | This parameter hods the version of the connector bundle class. Default value: 12.3.0 |
| supportMultipleDomain | No | This entry specifies whether the connector can perform connector operations in a single or multiple domain. By default, the connector performs connector operations only on the domain specified as the value of the Google Domain Name basic configuration parameter.Set the value of this entry to true if you want the connector to perform connector operations in all the domains present in Google Cloud Platform Connector. Default value: false |
| supportDeleteIdentity | No | This entry specifies whether the connector can delete the account in directory or just remove the entitlements & keeps the account. Set the value to true if you want to delete the account in Directory as well. Default value: false |
| Pool Max Idle | No | Maximum number of idle objects in a pool. Sample value: 10 |
| Pool Max Size | No | Maximum number of connections that the pool can create. Sample value: 10 |
| Pool Max Wait | No | Maximum time, in milliseconds, the pool must wait for a free object to make itself available to be consumed for an operation. Sample value: 150000 |
| Pool Min Evict Idle Time | No | Minimum time, in milliseconds, the connector must wait before evicting an idle object. Sample value: 120000 |
| Pool Min Idle | No | Minimum number of idle objects in a pool. Sample value: 1 |
Connector Application Configuration
Connector application is designed such that it works as the wrapper application to the different scim adapters. This majorly consists of the following:
Authentication
- Basic Authentication is required
- The encrypted values of username and password will be stored in the properties file
Resource Type
These are the two resource types available for the IDHUB connector. The "resourceName" attribute value in rest api calls will have one of these values.
- Account - user account in the target system - this will include entitlement membership
- Entitlement -available entitlements in the target system
Deploying the GCP Connector
The documentation for deploying the connector is coming soon