Overview of the GCP SCIM Connector
The Google SCIM Connector assists organizations in integrating EmpowerID with the Google Cloud Platform. EmpowerID can then inventory the user and group identity-related information stored within Google Cloud environments. This stored information in EmpowerID enables the central management and synchronization of identity management processes across various back-end user directories.
The EmpowerID Google Cloud Platform (GCP) Connector enables secure inventorying and management of data in the Google Cloud Platform using the EmpowerID SCIM 2.0 Microservice. The SCIM Microservice is a separate component deployed in the Google App Engine. The Microservice enables EmpowerID to directly read/write data to/from the Google Cloud Platform based on the requests initiated by the connector.
The GCP connector currently supports two services,
Google Workspace
Google Cloud
GCP Connector Environment
This section provides an overview of the key components of integrating GCP and EmpowerID. We will explore their functions, interactions, and data flow processes.
Major Components
There are different components to enable secure and efficient management of user and group identities between EmpowerID and Google Cloud Platform (GCP). Let’s first examine these important components, exploring their functions and interactions within the overall data flow.
Google Cloud Platform (GCP) Connector: The GCP Connector is a core component within the EmpowerID environment. It is responsible for initiating requests that EmpowerID needs to execute in GCP. For example, when a user creates a group in EmpowerID, the GCP Connector initiates the necessary requests to perform this action in GCP. The connector also includes inventory logic to track identity data changes between the two platforms If a group is created directly in GCP, the connector updates EmpowerID based on the output provided by the SCIM Microservice.
GCP SCIM Microservice: The GCP microservice functions as a mediator, responsible for transforming requests or actions initiated from the Google Cloud Platform (GCP) Connector by executing them in GCP through appropriate API calls to the Google APIs. The Communication between the Connector and Microservice is SCIM complaint. This microservice is deployed in Google App Engine and communicates with GCP via API calls.
IAP: Google Cloud's Identity Aware Proxy (IAP) secures access by authenticating and authorizing requests from the GCP Connector and GCP SCIM Microservice. It ensures that only valid requests with verified OIDC tokens are processed.
Google Cloud API: The Google Cloud API serves as the final interface for performing inventory and other identity-related tasks within GCP. The GCP SCIM Microservice calls the appropriate Google APIs to execute these tasks in the GCP resources.
GCP Connector Data Flow
Next, we will explore how the different components interact to automate identity management tasks in GCP from EmpowerID.
GCP Connector Requests Token & Token Acquisition: The GCP Connector initiates a request to the Google Authentication Service, leveraging OAuth 2.0 for authentication and authorization. The requests are signed with a Certificate. We will further explore that a service account is used to authenticate the connector and microservice. The Service Account Key of that service is stored and referred to as a Certificate or also as the private key in EmpowerID.
The Google Authentication Service authenticates the request and issues an OpenID Connect (OIDC) bearer token. This token contains information about the requester, such as the service account's identity and the requested permissions.IAP Authentication: The OIDC bearer token is authenticated by the Identity Aware Proxy (IAP), a service provided by Google Cloud Platform for access control and security. The IAP acts as an intermediary between external requests (GCP Connector) and the Microservice hosted on Google App Engine and authenticates the token. It also checks whether the token's scope (specified by the OAuth2 Target Audience) aligns with the intended audience for the microservice.
Access Granted to Microservice: Upon successful IAP authentication, the connector is granted access to the SCIM microservice. The microservice is protected by IAP, ensuring that only authenticated and authorized requests from the GCP Connector are forwarded to it.
Microservice Authentication with GCP API: The microservice utilizes a service account that has been provided with the necessary roles and permissions to authenticate itself to the Google Cloud API’s.
API Call Execution: Leveraging the permissions of the Microservice Service Account, the microservice can execute API calls to interact with Google Cloud services. This includes functionalities such as user management (creating and disabling users) and group management (fetching members of groups), contributing to the application's functionality and integration with Google Cloud Platform services.