Configuring Google
Domain Management
Currently, Google connector supports only one domain. Add a domain name to fetch information from that domain.
To manage more than one domain, install the connector again. Reach out to support to help with multi-domain management using single connector.
Attribute Sync Direction
While adding attribute in json file, you can choose which direction your data flows for every attribute in IDHub.
Use function syncDirection for every attribute to choose their data flow directions.
Possible values are as follows:
'bi-directional': 'Bidirectional Synchronization',
'idhub-to-app': 'Sync IDHub to Application only',
'app-to-idhub': 'Sync Application to IDHub only',
'no-sync': 'No Synchronization'
Based on attribute functions we recommend directions. See below:
- RBAC (Role based Access Control) :
app-to-idhuborbi-directional - Reporting and not sensitive :
bi-directional - Modify functions in target system and RBAC :
idhub-to-app - Only for display :
no-sync - Sensitive Attribute not used for audit/ reporting : Do not add attribute
Field Mapping
Another function in the json is to match a specific IDHub field with the target system attribute.
Use function idhubFieldName and add from IDHub field list to match the fields.
List of IDHub fields can be viewed in your IDHub instance in Admin Settings page in Admin Module. Target System fields can be matched with custom added IDHub field as well.
{
"name": "fullName",
"type": "string",
"idhubFieldName": "displayName",
"required": true,
"syncDirection": "bi-directional"
}
Here target system attribute fullName is mapped with IDHub attribute displayName.
Multi-value Field
For making an attribute multi-valued in IDHub, use function multivalue and mark it as true. Some common examples are email addresses, membership, licenses attributes which provides multiple values.
Unique Field
Every target system provides at-least one unique attribute to distinguish their accounts. To mark that attribute as unique account name (In case multiple unique keys are present and you do not wish for IDHub to fetch all unique keys and mark only one as account name) use function uniqueness and value can be server or global
Reconciliation will fail if more than one attribute is added as unique.
For Google, below are some of the attributes among others that can be unique account name.
idprimaryEmail-RecommendedsecondaryEmailrecoveryEmail
Reconciliation Key
Possible unique reconciliation key to match account in Google with User in IDHub are as follows:
primaryEmail(Google) withemail(IDHub) -Recommendedid(Google) withlogin(IDHub)secondaryEmail(Google) withemail(IDHub)
Use function
isReconand mark astrueANDmutabilityand mark asimmutable
Both functions need to be added to the attribute to mark it as a reconciliation key.
primaryEmail attribute which is marked as Reconciliation key.{
"name": "primaryEmail",
"type": "string",
"idhubFieldName": "email",
"required": true,
"isRecon": true,
"mutability": "immutable",
"uniqueness": "server",
"syncDirection": "bi-directional"
}
More than one attribute can be used as reconciliation key. It is used to match IDHub users with accounts and combination of reconciliation keys will be used to match the account.
Manager Operations
The Google connector supports the manager attribute for the following:
- Reconciliation: On account reconciliation, the
managerattribute for a user populates for a non-null (blank) value on the Google domain. Add themanagerattribute in the account schema with the string type and sync direction as bi-sync or app-to-idhub for getting manager information in IDHub - Provisioning: The
managerattribute is supported for the Add, Remove, and Edit operations where the value of the manager can be set base on an existing user’sprimaryEmail. If thesyncDirectionformanagerisidhub-to-appORbi-directional, then on user attribute modification, our connector sends updated manager information to Entra which adds the new manager in Entra automatically. If manager information provided is not present in Entra, then change requested will not be reflected in Entra.