To use Google Directory as an IdP, you must perform the following steps:
- Go to Google Cloud Console and select your project
- Go to "IAM & Admin" -> "Service Accounts"
- Click on the button "Create Service Account" and create your Service Account
- Click on the created Service Account
- Then click on the "Keys" tab
- Click on "Add Key" and select "Create new key"
- Select "JSON" and create the key (then it will download your Service Account Key - you'll use this key to authenticate in the application)
- Go back to the "Details" tab and copy your "Unique ID"
- Go to the Google Admin Console and go to "Security" -> "Access and data Control" -> "API Controls"
- Click on "MANAGE DOMAIN WIDE DELEGATION"
- Click on "Add new" to add a new API Client
- Then fill the form with the Service Account Unique ID that you copied and the OAuth Scope "https://www.googleapis.com/auth/admin.directory.user"
And your Service Account is configured. Now you need to set the following environment variables:
SDM_SCIM_IDP_GOOGLE_KEY_PATH- the path of the service account key fileSDM_SCIM_IDP_GOOGLE_SUBJECT_USER- the service account admin email
An user can only be assigned to one OrgUnit at a time
To add a filter to the IdP search, you can use the -idp-query flag refering to the Google Users Search Documentation
SDM_SCIM_IDP_GOOGLE_ROOT_ORG_UNIT_ALIAS- alias for representing the root organization unit in strongDM roles
To configure the Google IdP on Docker you need to follow these steps:
- Go to docker-compose.yml and in the
scim-integrationsservice refer your service account key file in the volume source (/path/to/your/idp-key.json:/scim-integrations/keys/idp-key.json) and leave the destination path as it is, or else it won't work. - Refer to the overall steps of how to run SCIM Integrations with Docker.