Connect to Google Cloud Platform

This guide provides step-by-step instructions for setting up the Google Cloud Platform (GCP) Connector in EmpowerID. It begins by explaining the key configuration attributes, then walks through creating an account store to connect to GCP, and finally outlines the verification steps needed to establish an integration between the platforms.

Understand Key Configuration

Before you start creating the account store, please familiarize yourself with the key configurations you must provide input when connecting to GCP.

Please ensure that you have the necessary information regarding the configuration values by consulting with the deployment team or EmpowerID. This will streamline the process of creating and connecting the account store to GCP. If you want detailed information about the attributes and how they are acquired, you need to understand the deployment technical details provided in the Deployment of the GCP Connector Environment.

Attributes	Description

Attributes	Description
App Service Base URL	The "App Service Base URL" is the URL to which the microservices for GCP are deployed on the Google Cloud Platform
OAUTH2 Token Target Audience	The Audience parameter for the Google Auth Token in the Google Cloud Platform.
Certificate Name	The certificate name created or uploaded for the IAP Service Account.
Service Account Email	The Service account, also known as the IAP Service Account, used for OAuth2 authentication between EID and the microservice.

Step 1: Create a GCP Account Store

To connect your Google Cloud Platform with EmpowerID, you need to use connectors and create an account store through Account Stores. This connection will enable the tenant's user and group information to be imported into EmpowerID, where it can be effortlessly managed and synchronized with data in any back-end user directories that are connected. Please follow the instructions below to create an account store for your organization's Google Cloud Platform in EmpowerID.

Log in to the EmpowerID portal.
Expand Admin → Applications and Directories on the navbar and click Account Stores and Systems.
Select the Account Stores tab and click on the Create Account Store link.
To proceed, please search and select the Google Cloud Platform SCIM from the System Types menu. Once you have made the selection, click on the Submit button. By choosing this option, you will be using the out-of-the-box SCIM connector to connect EmopowerID with GCP.
Please provide the following information related to the account store and click on Submit to create the account store.
1. Account Store Name: Provide a unique and descriptive name for the account store.
2. App Service Base URL: The microservices for GCP are deployed on the Google Cloud platform and have a specific URL, which should be provided as the app service base URL. The URL starts with the protocol HTTPS and ends with a leading slash (/).
3. OAUTH2 Token Target Audience: Provide the Audience parameter for the Google Auth Token that you created earlier in the Google Cloud Platform.
4. Certificate Name: Select the name of the certificate that you configured for SA2 or the IAP Service Account. As described earlier, you might have to generate a certificate in EID and upload it to Google or generate keys in Google and upload them to EID.
5. Service Account Email: Provide the SA2 Service account, also known as the IAP Service Account, which is responsible for OAuth2 authentication between EID and the microservice.
You have successfully created an account store for the Google Cloud Platform.

Step 2: Verify Resource System Parameters

Once you create an Account Store, the following resource system parameters are configured with default values. Please verify that these settings are correct and adjust them as needed to meet your specific requirements.

Navigate to Admin > Applications and Directories > Account Stores and Systems and select the Account Stores tab.
Search for the GCP Account Store you created and click the Account Store link.
On the Account Store and Resource System page that appears, select the Resource System tab and expand the Configuration Parameters accordion.
Please ensure that the parameters in the list are set up correctly. The list and description are provided below. To edit or change the value of a parameter, click the Edit button for the parameter you want to modify. Enter the new value in the Value field and click Save.

Attribute Name	Description

Attribute Name	Description
AccountAttributeSyncDirty	Indicates whether the account attribute synchronization is marked as dirty. The default value is `false`.
AppServiceBaseUrl	The microservices for GCP are deployed on the Google Cloud platform and have a specific URL, which is the app service base URL. The URL starts with the protocol HTTPS and ends with a leading slash (/).
AuditLogGraceTimePeriodInMinutes	Time period in minutes for grace period in audit logs. The default value is `120`.
AuthorizationProviderFullAssemblyName	Full assembly name of the authorization provider.
AuthorizationProviderType	Type of the authorization provider used.
CreateGroupUrl	URL endpoint to create a group. The default value is `/v1/Groups`.
CreateOrUpdateGroupJsonTemplate	JSON template for creating or updating a group. The default value is `{"displayName":null, "description": null, "email": null}`.
CreateOrUpdateUserJsonTemplate	JSON template for creating or updating a user. Please find more details about the mapping of attributes here Attribute Mapping. The default value is { "urn:ietf:params:scim:schemas:extension:AdAdditionalData:2.0:User": { "plain": { "firstHomePhone": "", "firstMobilePhone": "", "firstBusinessPhone": "", "firstOrgTitle": "", "firstOrgDepartment": "" }, "organizations": [{"primary":true, "department":null,"description":null, "title":null}], "suspended": null, "archived": null, "languages": null }, "changePasswordAtNextLogin": null, "includeInGlobalAddressList": null, "ipWhitelisted": null, "recoveryPhone": null, "recoveryEmail": null, "orgUnitPath": null, "primaryEmail": null, "name": { "familyName": null, "givenName": null, "formatted": null }, "displayName": null, "emails": null, "customSchemas": null, "relations": null }.
CreateUserUrl	URL endpoint to create a user. Default value is `/v1/users`.
ExternalSystemSupportIncrementalMember	Indicates if the external system supports incremental member updates. The default value is `false`.
GetAddGroupMemberUrl	URL endpoint to query group members to add. The default value is `/EIDExtension/MemberQuery`.
GetDeleteorUpdateGroupByIdUrl	URL endpoint to delete or update a group by its ID. The default value is `/v1/Groups/{0}`.
GetDeleteOrUpdateGroupMemberUrl	URL endpoint to delete or update a group member. The default value is `/EIDExtension/MemberQuery/{0}/{1}`.
GetDeleteorUpdateUserByIdUrl	URL endpoint to delete or update a user by its ID. The default value is `/v1/Users/{0}`.
IsIncrementalInventory	Indicates if the inventory is incremental. The default value is `true`.
OAuth2PrivateKey	The certificate's thumbprint created or uploaded for SA2 or the IAP Service Account.
OauthTargetAudience	Target audience for OAuth2. The Audience parameter for the Google Auth Token that you created earlier in the Google Cloud Platform for the OAuth 2.0 Client ID of the Credentials in the APIs & Services of the GCP(TA1) .
QueryChangedGroupMembersUrl	URL endpoint to query changed group members. The default value is `/EIDExtension/ChangedMemberQuery`.
QueryChangedGroupsUrl	URL endpoint to query changed groups. The default value is `/v1/Groups/EIDExtension/NewOrUpdated`.
QueryChangedUsersUrl	URL endpoint to query changed users. The default value is `/v1/users/EIDExtension/NewOrUpdated`.
QueryGroupMembersUrl	URL endpoint to query group members. The default value is `/EIDExtension/MemberQuery/{0}`.
QueryGroupsUrl	URL endpoint to query groups. The default value is `/v1/groups`.
QueryMembersDegreeOfParallelism	Degree of parallelism for querying group members. The default value is `5`. (Optional. Default = 5)
QueryOrganizationsUrl	URL endpoint to query organizations. The default value is `/QueryOrganizations`.
QueryResourcesUrl	URL endpoint to query resources. The default value is `/QueryOrganizationResources`.
QueryUsersUrl	URL endpoint to query users. The default value is `/v1/users`.
ServiceAccountEmail	The SA2 Service account, also known as the IAP Service Account, which is responsible for OAuth2 authentication between EID and the microservice.

Step 3: Verify that the GCP Account Store is Working

After setting up your account store and confirming that inventory is running smoothly, verifying the Google Cloud Platform (GCP) connector in EmpowerID is essential. Follow these steps to ensure your GCP account store is operational. While various methods exist to verify this, we'll focus on one approach: checking if users and groups have been properly inventoried into EmpowerID.

Expand Admin → Applications and Directories on the navbar and click Account Stores and Systems.
Select the Account Stores tab, search for the Account Store you just created, and click on the Account Store Name Link.
Click on the User Accounts tab to check if the user accounts have been added. Please note that this will only show results after completing the inventory job.

IN THIS ARTICLE