Skip to main content

Google Workspace

The purpose of this guide is to provide detailed information regarding the Google Workspace connector. There are a number of things you can learn about this connector here, including information about its configuration and deployment.

About Google Workspace Connector

In IDHub, you can create and onboard Google Workspace applications using the Google Workspace connector.

Connector Version

Google Workspace connector is currently at Version 1.0. More Google Workspace operations and other capabilities will be supported in upcoming updates and releases of the Google Workspace connector.

ComponentVersion
Google Workspace ConnectorVer 1.0
Target SystemGoogle Workspace
Connector Server11.1.2.1.0
Connector Server JDKJDK 1.6 or later

Connector Operations

OperationSupported?
User Management
Create userYes
Update userYes
Delete UserYes
Enable userYes
Disable userYes
Change or Reset passwordYes
Entitlement Grant Management
Add GroupsYes
Update GroupsYes
Remove GroupsYes

Connector Components

The components of the connector include Connector Application, Connector Application Configuration, Connector Service Provider Interface, Splice, and Splice configuration.

These connection components contain precise connectivity and setup information for your target system. The connector takes information from these files to allow you to quickly and efficiently onboard your applications using a single, streamlined UI.

Connector Architecture

The connector's architecture is constructed in accordance with the diagram below:

The connector architecture is basically composed of connector application, google workspace SDK controller and target system splice. The target system splice takes care of the native communication with the target system using the Google Workspace Specific connector SPI implementation. This architecture is followed and design as it enables for easy and rapid deployment of the connector as well as more precise versioning capabilities.

The connector is configured to run in one of the following modes:

  • Target Resource reconciliation
    • Users are instantly created and changed on IDHub in this situation if you rely on the Google Workspace application as the trusted source. When user records match the reconciliation criteria, the Google Workspace SDK retrieves them and sends them to IDHub. Each user record retrieved from the target system is cross-checked against existing IDHub Users. If there is a match between the target system record and the IDHub User, the User attributes are changed to reflect the changes made to the target system record. If no matches are identified, the target system record is utilized to generate an IDHub User.
  • Account management
    • This entails using IDHub to add, modify, or remove users from the target system.
      • During provisioning, the connector invokes the target system's Google Workspace SDK for provisioning tasks.
      • The target system's SDK accepts provisioning data, does the necessary actions there, and then sends IDHub the result back from the target system. Applications can carry out create, read, update, and delete (CRUD) actions on the target system using the Google Workspace SDK.
note

In developing the connector, we adhere to this fundamental architecture. The IDHub team will handle the connector modification section appropriately based on your unique business requirements if there are any improvements, extra specifications, or variations.

Connector Features

Full Reconciliation and Incremental Reconciliation

Full reconciliation can be performed to bring all existing user data from the target system to IDHub. If the target system has an attribute that stores the timestamp at which an item is created or modified, you can configure your connector for incremental reconciliation once the first full reconciliation operation has been completed.

info

The connector's future release version will incorporate incremental recon, which is not supported by the present version of the connector.

Limited Reconciliation

Records from the target system can be reconciled depending on a defined filter condition. You can define the subset of newly added or updated target system records that must be reconciled in order to restrict or filter the records that are fetched into IDHub during a reconciliation process. You can specify the conditions in which the reconciliation will take place.

Batched Reconciliation

You can break down a reconciliation run into batches by specifying the number of records that must be included in each batch.

info

The current version of the connector do not support incremental recon & batched recon and will be supported in the future release version of the connector.

Reconciliation of Deleted Account Data

The Reconciliation task can be used to fetch details of deleted target system users. This information is used to revoke the corresponding Google Apps resources from IDHub.

Transformation and Validation of Account Data

You can configure transformation and validation of account data that is brought into or sent from IDHub during reconciliation and provisioning operations by writing Groovy scripts while creating your application.

Support for Connector Server

The connector architecture enables your application to communicate with externally deployed bundles by utilizing one or more connector servers. As a result, you have the option to run the IDHub Java connector bundle on a different host for better performance if you do not wish to execute it in the same VM as the application.

Connection Pooling

A connection pool is a cache of objects that represent physical connections to the target. IDHub connectors can use these connections to communicate with target systems. At run time, the application requests a connection from the pool. If a connection is available, then the connector uses it and then returns it to the pool. A connection returned to the pool can again be requested for and used by the connector for another operation. By enabling the reuse of connections, the connection pool helps reduce connection creation overheads like network latency, memory allocation, and authentication.

One connection pool is created for each set basic configuration parameters that you provide while creating an application. For example, if you have three applications for three installations of the target system, then three connection pools will be created, one for each target system installation.

Support for Connector Operations in Multiple Domains

The connector supports reconciliation and provisioning operations in multiple domains. By default, this connector supports reconciliation and provisioning operations within a single domain. However, you can configure the connector for performing connector operations in more than one domain by specifying a value for the supportMultipleDomain parameter in Advanced Settings.

Support for Reconciliation of Account Status

Support for reconciliation of account status is one of the features where the connector fetches the status information during a reconciliation operation. During a reconciliation run, the connector can fetch status information along with the rest of the account data.

How do you get the secrets from your GCP instance?

  1. You need to have access to Google API developer console and project- to create the service account, create necessary keys and provide domain wide delegation to service account.
  2. You would need Admin email address
info
  • The Admin users personal Drives might show up in IDHub. It is recommended that the admin user provided in application.properties not have any personal drive or files.
  • The google admin account should not be an day to day user.

Google API configuration

This step covers creating service account, certificate and providing domain wide permission for service account.

Enable APIs on Google Workspace

To enable an API for your project:

  1. Go to the API Console.
  2. From the projects list, select a project or create a new one.
  3. If the APIs & services page isn't already open, open the console left side menu and select APIs & services.
  4. Then select Library.
  5. Click the Admin SDK API . If you need help finding the API, use the search field. Click ENABLE
  6. Perform the above steps on Google Drive API

Ensure API Enabled check box is selected next to ‘TRY THIS API’ button

Create service account

Service account keys could pose a security risk if compromised. Delete and Create new keys (.p12 certificate) for service account every month to mitigate this risk.

  1. Navigate to https://console.developers.google.com/apis/credentials .
  • Login with Admin credentials
  • Select the correct project from the drop down menu next to (Google Cloud Platform)
  1. Click on '+ CREATE CREDENTIALS'
  • select 'Service Account' from the drop down menu.
  • Provide a name (e.g: idhub-scim) and description to your Service Account
  • Note the complete Email address.
  • Click on 'DONE'
  1. Refresh the page if your newly created service account does not show up instantly on the credentials page.
  2. Click on the pencil icon next to the Service Account to edit it.
  • Now Click on 'SHOW DOMAIN-WIDE DELEGATION'
  • Check the box for 'Enable Google Workspace Domain-wide Delegation'
  • Click 'Save'.
  • A Client ID will show up. Copy this
  1. Navigate to Permissions tab and add the admin user as Owner

Generate service account private key

  1. Click on Keys tab in the service account.
  • Click on ‘ADD KEY', then 'Create new key’
  • Select P12 format
  • Click 'CREATE'
  • When the pop up for file opens up, select 'Save File' and save it to a location on you computer.
  • Note the private key password
  1. Rename the downloaded p12 file as desired and store the secret in a secure store.

Configure Domain wide delegation for service account

  1. Navigate to https://admin.google.com on a new tab/window
  2. Go to Main menu > Security > API Controls.
  3. In the Domain wide delegation pane, select Manage Domain Wide Delegation.
  • Click Add new.

  • In the Client ID field, enter the service account's Client ID.

  • In the OAuth scopes (comma-delimited) field, enter the below list of scopes. (6 scopes) https://www.googleapis.com/auth/admin.directory.user,https://www.googleapis.com/auth/admin.directory.group,https://www.googleapis.com/auth/drive,https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/admin.directory.group.readonly,https://www.googleapis.com/auth/drive.readonly

  • Click Authorize.

  • Click on View Details and verify the scopes are added.

Creating an Application by using the Connector

Onboard the Application in IDHub

tip

Click here for the detailed steps for onboarding the application to IDHub

Configuring the Connector

Connectors use connection-related parameters to connect to IDhub with your target system and perform connector operations when creating a connected application. IDHub requires the following connection-related parameters in order to connect to a Google Workspace application.

Basic Configuration of the Connector

ParameterMandatory?Description
Service Account IDYesEnter the email address of the service account created.
Service Account UserYesEnter the user name of account that you created to log in to the client application. Sample value: [email protected]
Service Account Private KeyYesEnter the name and complete path to the directory containing the private key. Sample value: /scratch/34567890sdfghjk.p12
Google Application NameYesEnter the name of the project that was created as part of registering the client application.
Google Domain NameYesEnter the name of your Google Apps domain. Sample value: mydomain.com
ScopeYesEnter the scope of your client application.
Connector Server NameNoIf you are using the Google Workspace Connector together with a Java Connector Server, then enter the name of Connector Server IT resource.
Proxy HostNoEnter the proxy host name. This is useful when a connector must be used in the network protected by the web proxy. Check with your network administrator for more information about proxy configuration.
Proxy PasswordNoEnter the proxy password. This is useful when a connector must be used in the network protected by the web proxy. Check with your network administrator for more information about proxy configuration.
Proxy PortNoEnter the proxy port number. This is useful when a connector must be used in the network protected by the web proxy. Check with your network administrator for more information about proxy configuration.
Proxy UsernameNoEnter the proxy user name. This is useful when a connector is to be used in the network protected by the web proxy. Check with your network administrator for more information about proxy configuration.

Advanced Settings Parameters

There are some advanced settings that you can configure in the connector.

info

In the current version of the connector, these advanced settings cannot be configured; however, they will be available in future releases.

ParameterMandatory?Description
Connector NameYesThis parameter holds the name of the connector class.
Connector Package NameYesThis parameter holds the name of the connector bundle package.
Connector Package VersionYesThis parameter hods the version of the connector bundle class.
Pool Max IdleNoMaximum number of idle objects in a pool. Sample value: 10
Pool Max SizeNoMaximum number of connections that the pool can create. Sample value: 10
Pool Max WaitNoMaximum time, in milliseconds, the pool must wait for a free object to make itself available to be consumed for an operation. Sample value: 150000
Pool Min Evict Idle TimeNoMinimum time, in milliseconds, the connector must wait before evicting an idle object. Sample value: 120000
Pool Min IdleNoMinimum number of idle objects in a pool. Sample value: 1
supportMultipleDomainNoThis entry specifies whether the connector can perform connector operations in a single or multiple domain. By default, the connector performs connector operations only on the domain specified as the value of the Google Domain Name basic configuration parameter. Set the value of this entry to true if you want the connector to perform connector operations in all the domains present in Google Apps. Default value: false

Attribute Mappings for the Connector

Google Workspace SchemaUser Schema in IDHubSync DirectionIsVisibleExampleType of Attribute
countryofficeAddressCountryBi-DirectionalVisibleUK
displayNamedisplayNameBi-DirectionalVisibleJohn_Depp
externalIdHidden
familyNamelastNameBi-DirectionalVisibleDepp
givenNamefirstNameBi-DirectionalVisibleJohn
idloginBi-DirectionalVisibleJohn33Unique Key (auto generated) Account Name Field
localityofficeAddressCityBi-DirectionalVisibleLondon
metaGoogleMetaBi-DirectionalVisible
orgUnitPathHidden
phoneNumberphoneNumberBi-DirectionalVisible8847-487-8874
poBoxHidden
postalCodeofficeAddressPostalBi-DirectionalVisible99478757
primaryEmailemailBi-DirectionalVisible[email protected]Reconciliation Key
recoveryEmailHidden
recoveryPhoneHidden
schemasHidden
secondaryEmailHidden
streetAddressofficeAddressLine1Bi-DirectionalVisibleBoulevard St.
temporaryPasswordHidden
thumbnailPhotoUrlHidden
departmentdepartmentBi-DirectionalVisibleIT
jobTitlejobTitleBi-DirectionalVisibleManager
managerLoginmanagerLoginBi-DirectionalVisibleMang234
managerDisplayNamemanagerDisplayNameBi-DirectionalVisibleDepp
StatusStatusBi-DirectionalVisibleActive
locationlocationBi-DirectionalVisibleLondon
homeAddressLine1homeAddressLine1Bi-DirectionalVisibleBl. St.
homeAddressCityhomeAddressCityBi-DirectionalVisibleLondon
homeAddressStatehomeAddressStateBi-DirectionalVisibleLondon
homeAddressZipcodehomeAddressZipcodeBi-DirectionalVisible4454
officeAddressZipcodeofficeAddressZipcodeBi-DirectionalVisible3555
officeAddressStateofficeAddressStateBi-DirectionalVisibleLondon
userTypeuserTypeBi-DirectionalVisibleEmployee
organizationNameorganizationNameBi-DirectionalVisibleSath
employeeNumberemployeeNumberBi-DirectionalVisibleJohn8678
provisionedDateprovisionedDateBi-DirectionalVisible05/06/23
createDatecreateDateBi-DirectionalVisible05/06/22
homeAddressLine2homeAddressLine2Bi-DirectionalVisibleBl. St.
officeAddressLine2officeAddressLine2Bi-DirectionalVisibleBl. St.
homeAddressCountryhomeAddressCountryBi-DirectionalVisibleUK
tip
  • GoogleMeta is a custom IDHub field
    • In order to create this field, click on the Add New Field from the IDHub Field schema and then enter the name of the custom field in the dropdown and click on save. Make sure that you select the Multi-Value toggle for the field.
  • Sync Direction of the Attributes depends on whether you regard Google Workspace as your Trusted Source.
  • You should only synchronize from IDHub to Google Workspace and not the reverse if Google Workspace is not a trusted system in your case.

Possible Recon Keys and Values

Possible Recon KeyPossible Recon Key Values
primaryEmail[email protected]
idJohn33
managerLoginMang234
employeeNumberJohn8678

Connector Application Configuration

Connector application is designed such that it works as the wrapper application to the different scim adapters. This majorly consists of the following:

Authentication

  • Basic Authentication is required
  • The encrypted values of username and password will be stored in the properties file

Resource Type

These are the two resource types available for the IDHUB connector. The "resourceName" attribute value in rest api calls will have one of these values.

  • Account - user account in the target system - this will include entitlement membership
  • Entitlement -available entitlements in the target system

Google Workspace Connector Splice configuration

In order to provision, modify, and revoke two main resources, Accounts and Entitlements, the Google Workspace Connector Splice integrates with the IDHub Connector Application. IDHub's Account translates into a User in SCIM and Google Workspace, whereas IDHub's Entitlements translate into a Group in Google Workspace.

IDHUBSCIMGoogle WorkspaceOperation
AccountAccountUserList, Create, Modify, Delete, Add Entitlement (PATCH Only), Revoke Entitlement (PATCH Only)
EntitlementsEntitlementGroups, Shared DriveList, Create, Modify, Delete

Connector Splice Design

Account Schema

The Account Schema configuration of the Google Workspace connector Splice is as follows:

{
"attributes": [
{
"name": "country",
"multiValued": false,
"description": "The country in which the user is located.",
"idhubFieldName": "officeAddressCountry"
}, {
"name": "displayName",
"multiValued": false,
"description": "The fullName/displayName of the user. REQUIRED.",
"mutability": "readOnly",
"returned": "always",
"required": true,
"idhubFieldName": "displayName"
}, {
"name": "externalId",
"multiValued": false,
"description": "A String that is an identifier for the resource as defined by the provisioning client.",
"mutability": "readOnly",
"returned": "always",
"caseExact": true
}, {
"name": "familyName",
"multiValued": false,
"description": "The lastName/familyName of the user. REQUIRED.",
"returned": "always",
"required": true,
"idhubFieldName": "lastName"
}, {
"name": "givenName",
"multiValued": false,
"description": "The firstName/givenName of the user. REQUIRED.",
"returned": "always",
"required": true,
"idhubFieldName": "firstName"
}, {
"name": "id",
"multiValued": false,
"description": "The unique ID for the user.",
"mutability": "readOnly",
"returned": "always",
"required": true,
"idhubFieldName": "login"
}, {
"name": "locality",
"multiValued": false,
"description": "The town or city in which the user is located.",
"idhubFieldName": "officeAddressCity"
}, {
"name": "meta",
"multiValued": false,
"description": "A complex attribute containing resource metadata.",
"mutability": "readOnly",
"subAttributes": [
{
"name": "resourceType",
"multiValued": false,
"description": "The name of the resource type of the resource.",
"mutability": "readOnly",
"caseExact": true
}, {
"name": "created",
"multiValued": false,
"type": "dateTime",
"description": "The DateTime that the resource was added to the service provider."
}, {
"name": "lastModified",
"multiValued": false,
"type": "dateTime",
"description": "The most recent DateTime that the details of this resource were updated at the service provider."
}, {
"name": "location",
"multiValued": false,
"description": "The name of the resource type of the resource.",
"mutability": "readOnly",
"caseExact": true
}, {
"name": "version",
"multiValued": false,
"description": "The version of the resource being returned.",
"mutability": "readOnly",
"caseExact": true
}
]
}, {
"name": "orgUnitPath",
"multiValued": false,
"description": "The full path of the parent organization associated with the user. If the parent organization is the top-level, it is represented as a forward slash (/).",
"mutability": "readOnly"
}, {
"name": "phoneNumber",
"multiValued": false,
"description": "A list of phone numbers of user. The maximum allowed data size is 1Kb.",
"returned": "request",
"canonicalValues": [
"$REGEX ^.{1,64}$"
],
"idhubFieldName": "phoneNumber"
}, {
"name": "poBox",
"multiValued": false,
"description": "The post office box in which the user is located, if present."
}, {
"name": "postalCode",
"multiValued": false,
"description": "The ZIP or postal code in which the user is located, if applicable.",
"idhubFieldName": "officeAddressPostal"
}, {
"name": "primaryEmail",
"multiValued": false,
"description": "Primary email address of user.",
"returned": "always",
"uniqueness": "global",
"required": true,
"idhubFieldName": "email"
}, {
"name": "recoveryEmail",
"multiValued": false,
"description": "Recovery email of the user.",
"returned": "request"
}, {
"name": "recoveryPhone",
"multiValued": false,
"description": "Recovery phone of the user.",
"returned": "request",
"canonicalValues": [
"$REGEX ^.{1,64}$"
]
}, {
"name": "schemas",
"multiValued": true,
"description": "The schemas attribute is a REQUIRED attribute and is an array of Strings containing URIs that are used to indicate the namespaces of the SCIM schemas that define the attributes present in the current JSON structure.",
"mutability": "readOnly",
"returned": "always",
"caseExact": true,
"required": true
}, {
"name": "secondaryEmail",
"multiValued": false,
"description": "Secondary email address of user. OPTIONAL.",
"returned": "request"
}, {
"name": "streetAddress",
"multiValued": false,
"description": "The street address in which the user is located.",
"idhubFieldName": "officeAddressLine1"
}, {
"name": "temporaryPassword",
"multiValued": false,
"description": "The temporaryPassword of the user. Returned for Creation Only.",
"mutability": "readOnly",
"caseExact": true
}, {
"name": "thumbnailPhotoUrl",
"multiValued": false,
"description": "Photo Url of the user",
"mutability": "readOnly",
"returned": "request"
}
]
}

Entitlement Schema

{
"attributes": [
{
"name": "displayName",
"multiValued": false,
"description": "The displayName of the Entitlement.",
"required": true
}, {
"name": "email",
"multiValued": false,
"description": "The email address of the Group Entitlement",
"returned": "always",
"caseExact": true,
"required": true
}, {
"name": "externalId",
"multiValued": false,
"description": "A String that is an identifier for the resource as defined by the provisioning client.",
"mutability": "readOnly",
"returned": "always",
"caseExact": true
}, {
"name": "id",
"multiValued": false,
"description": "The complex id of the Entitlement.",
"returned": "always",
"caseExact": true,
"required": true
}, {
"name": "meta",
"multiValued": false,
"description": "A complex attribute containing resource metadata.",
"mutability": "readOnly",
"subAttributes": [
{
"name": "resourceType",
"multiValued": false,
"description": "The name of the resource type of the resource.",
"mutability": "readOnly",
"caseExact": true
}, {
"name": "created",
"multiValued": false,
"type": "dateTime",
"description": "The DateTime that the resource was added to the service provider."
}, {
"name": "lastModified",
"multiValued": false,
"type": "dateTime",
"description": "The most recent DateTime that the details of this resource were updated at the service provider. If this resource has never been modified since its initial creation, the value MUST be the same as the value of created."
}, {
"name": "location",
"multiValued": false,
"description": "The name of the resource type of the resource.",
"mutability": "readOnly",
"caseExact": true
}, {
"name": "version",
"multiValued": false,
"description": "The version of the resource being returned.",
"mutability": "readOnly",
"caseExact": true
}
]
}, {
"name": "permissionId",
"multiValued": false,
"description": "Permission ID when an Entitlement is granted to user. This will be used to revoke memberships. It will be returned only during membership creation. Client should save this information and send it to Splice during revocation. This is only applicable when an account is assigned an entitlement. OPTIONAL.",
"caseExact": true
}, {
"name": "requestId",
"multiValued": false,
"description": "A unique ID related to user request. This will be used to avoid duplicate resources created for same request when creating Shared Drive. It is highly recommended that this is populated during shared drive creation. A random UUID will be created if this value is not provided. OPTIONAL.",
"returned": "never",
"caseExact": true
}, {
"name": "schemas",
"multiValued": true,
"description": "The schemas attribute is a REQUIRED attribute and is an array of Strings containing URIs that are used to indicate the namespaces of the SCIM schemas that define the attributes present in the current JSON structure.",
"mutability": "readOnly",
"returned": "always",
"caseExact": true,
"required": true
}
]
}

Deploying the Google Workspace Connector

Deploying using IDHub Connector Onboarding Wizard

Click Here to view more details about how to use IDHub's Cloud Connector Onboarding wizard to deploy the connector.

Deploy on your own

Deploy on Cloud

tip

The documentation for deploying the connector on your own Cloud Platform is coming soon

Deploy on your Server

Prerequisites

  • IDHub web hostname.
  • An IDHub Tenant.
  • A Google Workspace server and its IP address and Port.
  • A Google Workspace user account with password which has Read and Write permissions on all user objects of the required OU(s).
  • An Ubuntu/Debian Linux VM with Docker engine, Compose plugin, cURL, jq and unzip.
  • A service URL with valid certificate which points to port 7001 on the above VM.

Step 1 — Creating Connector OAuth Client (ID)

From IDHub Dashboard, go to Admin Settings > Sign-On > Keycloak Administration and do the following steps.

  • Go to Clients menu.
  • Create client and set Client ID to ‘Google Workspace-connector’ and Save.
  • Set Valid Redirect URIs to '*' and Save.

Step 2 — Create service account user and password in Keycloak in tenant realm

In your Keycloak realm, do the following.

  • Go to Users menu.
  • Add user.
  • Set Username to ‘Google Workspace-service-account’ and Save.
  • Go to its Credentials menu and set a password. (Note: For this tutorial, we have used ‘sapassword1’. We highly recommend using a different one for your service account).

Step 3 — Generate Access token and Refresh token

curl --location --request POST 'https://IDHUB_HOSTNAME/auth/realms/TENANT_NAME/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=OAUTH_CLIENT_ID' \
--data-urlencode 'username=SERVICE_ACCOUNT_USER' \
--data-urlencode 'password=SERVICE_ACCOUNT_PASSWORD' \
--data-urlencode 'scope=offline_access' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'request_token_type=urn:ietf:params:oauth:token-type:access_token' \
| jq

Replace the following:

  • IDHUB_HOSTNAME: The IDHub web hostname. A prerequisite. eg. test.sath.com
  • TENANT_NAME: Tenant that you created in test.sath.com. A prerequisite. eg. alpha
  • OAUTH_CLIENT_ID: OAuth Client ID you created in Step 1.
  • SERVICE_ACCOUNT_USER: Service account username you created in Step 2.
  • SERVICE_ACCOUNT_PASSWORD: Service account password you created in Step 2.
info

We now have our tokens. Let’s deploy the connector.

Step 4 — Prepare the .env file

  • Clone the IDHub’s AD Connector repository and edit the .env file.
wget https://storage.googleapis.com/sath-public-binaries/connectors/idhub-google-workspace-connector.zip
unzip idhub-google-workspace-connector.zip
cd idhub-google-workspace
nano .env
BUSINESS_OWNER=ADMIN_EMAIL
IT_OWNER=ADMIN_EMAIL
DOMAIN_URL=GOOGLE_DOMAIN_URL
ADMIN_EMAIL=ADMIN_EMAIL
SERVICE_ACCOUNT=SERVICE_ACCOUNT_EMAIL
CONNECTOR_DEBUG_LEVEL=DEBUG
IDHUB_HOSTNAME=example.iamsath.com
KEYCLOAK_ACCESS_TOKEN=ACCESS_TOKEN
KEYCLOAK_CLIENT_ID=Entra ID-connector
KEYCLOAK_REFRESH_TOKEN=REFRESH_TOKEN
KEYCLOAK_REALM=TENANT_NAME
SPLICE_DEBUG_LEVEL=DEBUG
PORT=CONNECTOR_PORT
GOOGLE_CERT=GOOGLE_CERT_PATH
GOOGLE_CERTIFICATE=GOOGLE_CERT_VARIABLES
info

Replace the following:

  • IDHUB_HOSTNAME: IDHub web hostname. From prerequisites. eg. test.sath.com
  • ACCESS_TOKEN: From Step 3 output. Put it WITHOUT the quotes.
  • REFRESH_TOKEN: From Step 3 output. Put it WITHOUT the quotes.
  • KEYCLOAK_CLIENT_ID: From Step 1.
  • TENANT_NAME: Tenant created in IDHub. From prerequisites. eg. alpha
  • GOOGLE_WORKSPACE_SERVER_IP_ADDRESS: From prerequisites. eg. 10.128.6.87
  • GOOGLE_WORKSPACE_SERVER_PORT: From prerequisites. eg. 389 or 636
  • CONNECTOR_PORT: Google Workspace connector port which you are planning to run on. The Service URL points to this port.
  • GOOGLE_CERT: Add the Google certificate path here.
  • GOOGLE_CERTIFICATE: Add the Google Certificate variables here.

Step 5 — Run the container

  • In the connector directory, run the following command.
docker compose up -d