Connect to Google Cloud Platform

This guide provides step-by-step instructions for setting up the Google Cloud Platform (GCP) Connector in EmpowerID. It begins by explaining the key configuration attributes, then walks through creating an account store to connect to GCP, and finally outlines the verification steps needed to establish an integration between the platforms.

Understand Key Configuration

Before you start creating the account store, please familiarize yourself with the key configurations you must provide input when connecting to GCP.

Please ensure that you have the necessary information regarding the configuration values by consulting with the deployment team or EmpowerID. This will streamline the process of creating and connecting the account store to GCP. If you want detailed information about the attributes and how they are acquired, you need to understand the deployment technical details provided in the Deployment of the GCP Connector Environment.

Attributes

Description

Attributes

Description

App Service Base URL

The "App Service Base URL" is the URL to which the microservices for GCP are deployed on the Google Cloud Platform

OAUTH2 Token Target Audience

The Audience parameter for the Google Auth Token in the Google Cloud Platform.

Certificate Name

The certificate name created or uploaded for the IAP Service Account.

Service Account Email

The Service account, also known as the IAP Service Account, used for OAuth2 authentication between EID and the microservice.

Step 1: Create a GCP Account Store

To connect your Google Cloud Platform with EmpowerID, you need to use connectors and create an account store through Account Stores. This connection will enable the tenant's user and group information to be imported into EmpowerID, where it can be effortlessly managed and synchronized with data in any back-end user directories that are connected. Please follow the instructions below to create an account store for your organization's Google Cloud Platform in EmpowerID.

  1. Log in to the EmpowerID portal.

  2. Expand Admin → Applications and Directories on the navbar and click Account Stores and Systems.

  3. Select the Account Stores tab and click on the Create Account Store link.

    image-20240118-091111.png

     

  4. To proceed, please search and select the Google Cloud Platform SCIM from the System Types menu. Once you have made the selection, click on the Submit button. By choosing this option, you will be using the out-of-the-box SCIM connector to connect EmopowerID with GCP.

    image-20240118-092506.png

     

     

  5. Please provide the following information related to the account store and click on Submit to create the account store.

    1. Account Store Name: Provide a unique and descriptive name for the account store.

    2. App Service Base URL: The microservices for GCP are deployed on the Google Cloud platform and have a specific URL, which should be provided as the app service base URL. The URL starts with the protocol HTTPS and ends with a leading slash (/).

    3. OAUTH2 Token Target Audience: Provide the Audience parameter for the Google Auth Token that you created earlier in the Google Cloud Platform.

    4. Certificate Name: Select the name of the certificate that you configured for SA2 or the IAP Service Account. As described earlier, you might have to generate a certificate in EID and upload it to Google or generate keys in Google and upload them to EID.

    5. Service Account Email: Provide the SA2 Service account, also known as the IAP Service Account, which is responsible for OAuth2 authentication between EID and the microservice.

  6. You have successfully created an account store for the Google Cloud Platform.

Step 2: Verify Resource System Parameters

Once you create an Account Store, the following resource system parameters are configured with default values. Please verify that these settings are correct and adjust them as needed to meet your specific requirements.

  1. Navigate to Admin > Applications and Directories > Account Stores and Systems and select the Account Stores tab.

  2. Search for the GCP Account Store you created and click the Account Store link.

  3. On the Account Store and Resource System page that appears, select the Resource System tab and expand the Configuration Parameters accordion.

  4. Please ensure that the parameters in the list are set up correctly. The list and description are provided below. To edit or change the value of a parameter, click the Edit button for the parameter you want to modify. Enter the new value in the Value field and click Save.




 

Attribute Name

Description

Attribute Name

Description

AccountAttributeSyncDirty

Indicates whether the account attribute synchronization is marked as dirty. The default value is false.

AppServiceBaseUrl

The microservices for GCP are deployed on the Google Cloud platform and have a specific URL, which is the app service base URL. The URL starts with the protocol HTTPS and ends with a leading slash (/).

AuditLogGraceTimePeriodInMinutes

Time period in minutes for grace period in audit logs. The default value is 120.

AuthorizationProviderFullAssemblyName

Full assembly name of the authorization provider.

AuthorizationProviderType

Type of the authorization provider used.

CreateGroupUrl

URL endpoint to create a group. The default value is /v1/Groups.

CreateOrUpdateGroupJsonTemplate

JSON template for creating or updating a group. The default value is {"displayName":null, "description": null, "email": null}.

CreateOrUpdateUserJsonTemplate

JSON template for creating or updating a user. Please find more details about the mapping of attributes here Attribute Mapping. The default value is { "urn:ietf:params:scim:schemas:extension:AdAdditionalData:2.0:User": { "plain": { "firstHomePhone": "", "firstMobilePhone": "", "firstBusinessPhone": "", "firstOrgTitle": "", "firstOrgDepartment": "" }, "organizations": [{"primary":true, "department":null,"description":null, "title":null}], "suspended": null, "archived": null, "languages": null }, "changePasswordAtNextLogin": null, "includeInGlobalAddressList": null, "ipWhitelisted": null, "recoveryPhone": null, "recoveryEmail": null, "orgUnitPath": null, "primaryEmail": null, "name": { "familyName": null, "givenName": null, "formatted": null }, "displayName": null, "emails": null, "customSchemas": null, "relations": null }.

CreateUserUrl

URL endpoint to create a user. Default value is /v1/users.

ExternalSystemSupportIncrementalMember

Indicates if the external system supports incremental member updates. The default value is false.

GetAddGroupMemberUrl

URL endpoint to query group members to add. The default value is /EIDExtension/MemberQuery.

GetDeleteorUpdateGroupByIdUrl

URL endpoint to delete or update a group by its ID. The default value is /v1/Groups/{0}.

GetDeleteOrUpdateGroupMemberUrl

URL endpoint to delete or update a group member. The default value is /EIDExtension/MemberQuery/{0}/{1}.

GetDeleteorUpdateUserByIdUrl

URL endpoint to delete or update a user by its ID. The default value is /v1/Users/{0}.

IsIncrementalInventory

Indicates if the inventory is incremental. The default value is true.

OAuth2PrivateKey

The certificate's thumbprint created or uploaded for SA2 or the IAP Service Account.

OauthTargetAudience

Target audience for OAuth2. The Audience parameter for the Google Auth Token that you created earlier in the Google Cloud Platform for the OAuth 2.0 Client ID of the Credentials in the APIs & Services of the GCP(TA1) .

QueryChangedGroupMembersUrl

URL endpoint to query changed group members. The default value is /EIDExtension/ChangedMemberQuery.

QueryChangedGroupsUrl

URL endpoint to query changed groups. The default value is /v1/Groups/EIDExtension/NewOrUpdated.

QueryChangedUsersUrl

URL endpoint to query changed users. The default value is /v1/users/EIDExtension/NewOrUpdated.

QueryGroupMembersUrl

URL endpoint to query group members. The default value is /EIDExtension/MemberQuery/{0}.

QueryGroupsUrl

URL endpoint to query groups. The default value is /v1/groups.

QueryMembersDegreeOfParallelism

Degree of parallelism for querying group members. The default value is 5. (Optional. Default = 5)

QueryOrganizationsUrl

URL endpoint to query organizations. The default value is /QueryOrganizations.

QueryResourcesUrl

URL endpoint to query resources. The default value is /QueryOrganizationResources.

QueryUsersUrl

URL endpoint to query users. The default value is /v1/users.

ServiceAccountEmail

The SA2 Service account, also known as the IAP Service Account, which is responsible for OAuth2 authentication between EID and the microservice.

 

 

Step 3: Verify that the GCP Account Store is Working

After setting up your account store and confirming that inventory is running smoothly, verifying the Google Cloud Platform (GCP) connector in EmpowerID is essential. Follow these steps to ensure your GCP account store is operational. While various methods exist to verify this, we'll focus on one approach: checking if users and groups have been properly inventoried into EmpowerID.

  1. Expand Admin → Applications and Directories on the navbar and click Account Stores and Systems.

  2. Select the Account Stores tab, search for the Account Store you just created, and click on the Account Store Name Link.

  3. Click on the User Accounts tab to check if the user accounts have been added. Please note that this will only show results after completing the inventory job.