Follow this procedure to set up Google G Suite as a proxy system.
-
Sign in to the Google API console (https://console.developers.google.com) and create a project.
-
Enable the Admin SDK. To do this, go to Dashboard > ENABLE API > Admin SDK > ENABLE.
-
Create a service account for your project. We recommend that you select Enable G Suite Domain-wide Delegation during the creation. If you skip this option, you can set it later. For more information, see Creating a service account.
-
Then, in the Google admin console (https://admin.google.com), a user with Super Admin role can delegate domain-wide authority to your service account. This way, it will have access to the Google Admin SDK on behalf of your user. For more information, see Delegating domain-wide authority.
NOTE: When specifying the scopes, the administrator has to enter the following:
https://www.googleapis.com/auth/admin.directory.user, https://www.googleapis.com/auth/admin.directory.group
Administrators of bundle tenants on Neo environment should enable the Manage OAuth Clients permission, as described in Neo Environment section in Manage Authorizations
↗️ .
A Google service account with delegated domain-wide authority is required for authentication and authorization of the Identity Provisioning service to G Suite domain. The authentication is based on OAuth 2.0 protocol with JSON Web Token (JWT). The private key for the signature is distributed by Google via one-time downloadable JSON data, which is accessible by the domain administrator. The private key is encoded in PKCS8 format and is in the private_key field of the JSON data. For more information, see JSON Web Token (JWT).
- When using it as a source system, you can read both users and groups from Google G Suite and provision them to any target system you have added in the Identity Provisioning user interface.
- When using it as a target system, you can write both users and groups, read from any source system you have added in the Identity Provisioning user interface. Google G Suite can automatically create accounts for your users in the Google Cloud Datastore.
The Identity Provisioning service supports user and group operations based on the following Google Directory API. See the table below.
|
User Operations |
Group Operations |
|---|---|
You can only provision users whose e-mails are from verified domains.
If you have successfully finished with the initial setup (described in the Prerequisites section), continue with the procedure below.
-
Open your subaccount in SAP BTP cockpit (valid for OAuth authentication to the Identity Provisioning proxy system).
If you have a bundle tenant, then in the cockpit → Neo → Overview, you can see the Global account, which SAP provides for your bundle in the corresponding Identity Provisioning region. Then, in the global account, you can see your subaccount, where the Identity Provisioning is enabled as a service for the bundle. The display name of the subaccount starts with SAP_BUNDLE.
-
Sign in to the administration console of SAP Cloud Identity Services and navigate to Users & Authorizations > Administrators.
-
Create a technical user with the necessary authorizations. It will later be used by the external consumer to connect to Identity Provisioning.
-
For Certificate-based authentication, follow the procedure in Manage Certificates for Inbound Connection → SAP BTP, Neo Environment
-
For OAuth authentication, proceed as follows:
-
Go to Security > OAuth > Clients and choose Register New Client.
-
From the Subscription combo box, select <provider_subaccount>/ipsproxy.
-
From the Authorization Grant combo box, select Client Credentials.
-
In the Secret field, enter a password (client secret) and remember it. You will need it later, for the repository configuration in the external system.
-
Copy/paste and save (in a notepad) the generated Client ID. You will need it later, too.
-
From the left-side navigation, choose Subscriptions > Java Applications > ipsproxy .
-
From the left-side navigation, choose Roles > IPS_PROXY_USER.
-
Choose Assign and enter oauth_client_<client_ID>.
For <client_ID>, enter the one you have saved in the previous main step.
-
-
For Certificate-based authentication, upload the certificate for the technical user of type System, as described in Add System as Administrator and enable the Access Proxy System API permission.
-
For Basic authentication, proceed as follows:
-
Add an administrator user of type System and configure the basic authentication method for this user.
If you already have a technical user, skip this step.
-
Save your changes.
-
Select your administrator user of type System and enable the Access Proxy System API permission.
-
Save your changes.
-
-
-
Access the Identity Provisioning UI.
-
Add Google G Suite as a proxy system. For more information, see Add New Systems.
-
Choose the Properties tab to configure the connection settings for your system.
If your tenant is running on SAP BTP, Neo environment, you can create a connectivity destination in your subaccount in the SAP BTP cockpit, and then select it from the Destination Name combo box in your Identity Provisioning User Interface.
If one and the same property exists both in the cockpit and in the Properties tab, the value set in the Properties tab is considered with higher priority.
We recommend that you use the Properties tab. Use a connectivity destination only if you need to reuse one and the same configuration for multiple provisioning systems.
Mandatory Properties
Property Name
Description & Value
TypeEnter: HTTP
URLSpecify the service URL:
https://www.googleapis.com/admin/directoryProxyTypeEnter:
InternetAuthenticationEnter: BasicAuthentication
The authentication type in use is actually OAuth with JWT. But for any provisioning system based on OAuth, BasicAuthentication is used along with the
OAuth2TokenServiceURLadditional property.UserEnter the service account’s ID. You can take it from the "client_email" field in the JSON data, downloaded during the setup of Google service account.
Password(Credential) Enter the service account’s private key, which represents a long string in PKCS8 format. You can take it from the "private key" field in the JSON data, downloaded during the setup of Google service account.
OAuth2TokenServiceURLTo make OAuth authentication to the Google G Suite system, enter the URL to the access token provider service. For more information, see Using OAuth 2.0 to Access Google APIs.
jwt.subjectEnter the Google G Suite user on behalf of which the Google Directory API is called. This user has been assigned the role User Management Admin.
This property corresponds to “sub” claim in JWT being generated during access token request: JWT: "sub" (Subject) Claim
(Optional)
jwt.scopeEnter space-separated Google Directory API authorization scopes. For example:
https://www.googleapis.com/auth/admin.directory.userTo learn what additional properties are relevant to this system, see List of Properties. You can use the main search, or filter properties by the Name or System Type columns.
Exemplary Configuration:
ProxyType=InternetType=HTTPAuthentication=BasicAuthenticationURL=https://www.googleapis.com/admin/directoryUser=1234567890-compute@developer.gserviceaccount.comPassword=-----BEGIN PRIVATE KEY-----\n123ABCDEFG123456789...… /123456789ABCDEFG123=\n-----END PRIVATE KEY-----\n
OAuth2TokenServiceURL=https://www.googleapis.com/oauth2/v4/tokenjwt.subject=john.smith@me123.accounts.ondemand.comjwt.scope=https://www.googleapis.com/auth/admin.directory.user -
(Optional) Configure the transformations.
Transformations are used to map the user attributes from the data model of the source system to the data model of the target system, and the other way around. The Identity Provisioning offers a default transformation for the Google G Suite proxy system, whose settings are displayed under the Transformations tab after saving its initial configuration.
An initial password setup is mandatory for all newly provisioned users. This is required by the Google G Suite API and must be provided when new accounts are created. The constant value that you see as configuration for the password attribute in the default transformation is generated by SAP. You have to change the constant value with another one, known only by the representatives of your company, before starting to use the Identity Provisioning service for creating users in your corporate Google G Suite system automatically.
You can change the default transformation mapping rules to reflect your current setup of entities in your Google G Suite. For more information, see:
Default read and write transformations:
The proxy Read Transformation is used when the external client application (for example, SAP Identity Management) makes initial load. That is, executing GET requests to the resource endpoints (/Users or /Groups) to retrieve the corresponding entities of the particular type. The external client application can also execute GET requests to a single resource endpoint (querying a single resource is supported). In this case, the proxy system acts as a source one.
The proxy Write Transformation is used when the external application manages the entities in the proxy system – creates new entities, updates existing ones, or deletes existing ones. In this case, the proxy system acts as a target one.
However, after a Create or Update operation is performed on the proxy system, the Read Transformation is applied to the result, so that the created or updated entity is sent back to the external application. This behavior demonstrates that the proxy Read Transformation is used for write cases, as well.
Read Transformation
Write Transformation
{ "user": { "scimEntityEndpoint": "Users", "mappings": [ { "sourcePath": "$.id", "targetVariable": "entityIdSourceSystem", "targetPath": "$.id" }, { "sourceVariable": "entityBaseLocation", "targetVariable": "entityLocationSourceSystem", "targetPath": "$.meta.location", "functions": [ { "type": "concatString", "suffix": "${entityIdSourceSystem}" } ] }, { "constant": "urn:ietf:params:scim:schemas:core:2.0:User", "targetPath": "$.schemas[0]" }, { "sourcePath": "$.primaryEmail", "targetPath": "$.emails[0].value", "correlationAttribute": true }, { "sourcePath": "$.primaryEmail", "targetPath": "$.userName" }, { "targetPath": "$.emails[0].primary", "constant": true }, { "sourcePath": "$.name", "targetPath": "$.name" }, { "constant": true, "targetPath": "$.active" }, { "condition": "$.suspended == true", "constant": false, "targetPath": "$.active" } ] }, "group": { "scimEntityEndpoint": "Groups", "mappings": [ { "constant": "urn:ietf:params:scim:schemas:core:2.0:Group", "targetPath": "$.schemas[0]" }, { "sourcePath": "$.id", "targetVariable": "entityIdSourceSystem", "targetPath": "$.id" }, { "sourceVariable": "entityBaseLocation", "targetVariable": "entityLocationSourceSystem", "targetPath": "$.meta.location", "functions": [ { "type": "concatString", "suffix": "${entityIdSourceSystem}" } ] }, { "sourcePath": "$.name", "targetPath": "$.displayName" }, { "sourcePath": "$.members[?((@.type == 'USER') && (@.status == 'ACTIVE'))]", "targetPath": "$.members", "optional": true, "preserveArrayWithSingleElement": true }, { "targetPath": "$.members[*].status", "type": "remove" }, { "constant": "value", "targetPath": "$.members[*].id", "type": "rename" }, { "targetPath": "$.members[*].kind", "type": "remove" }, { "targetPath": "$.members[*].etag", "type": "remove" }, { "targetPath": "$.members[*].role", "type": "remove" }, { "constant": "display", "targetPath": "$.members[*].email", "type": "rename" } ] } }{ "user": { "scimEntityEndpoint": "Users", "condition": "($.emails.length() > 0) && ($.name.familyName EMPTY false)", "mappings": [ { "sourceVariable": "entityIdTargetSystem", "targetPath": "$.id" }, { "sourcePath": "$.name", "targetPath": "$.name" }, { "sourcePath": "$.emails[0].value", "targetPath": "$.primaryEmail" }, { "sourcePath": "$.phoneNumbers", "targetPath": "$.phones", "optional": true }, { "scope": "createEntity", "targetPath": "$.password", "functions": [ { "type": "randomPassword", "passwordLength": 16, "minimumNumberOfLowercaseLetters": 1, "minimumNumberOfUppercaseLetters": 1, "minimumNumberOfDigits": 1, "minimumNumberOfSpecialSymbols": 0 } ] }, { "constant": "false", "targetPath": "$.suspended" }, { "condition": "$.active == false", "constant": true, "targetPath": "$.suspended" }, { "constant": "true", "targetPath": "$.changePasswordAtNextLogin" } ] }, "group": { "scimEntityEndpoint": "Groups", "mappings": [ { "constant": "urn:ietf:params:scim:schemas:core:2.0:Group", "targetPath": "$.schemas[0]" }, { "sourceVariable": "entityIdTargetSystem", "targetPath": "$.id" }, { "sourcePath": "$.displayName", "targetPath": "$.email", "scope": "createEntity" }, { "sourcePath": "$.displayName", "targetPath": "$.name" }, { "sourcePath": "$.members", "targetPath": "$.members", "preserveArrayWithSingleElement": true, "optional": true }, { "targetPath": "$.members[*].value", "type": "rename", "constant": "id" }, { "targetPath": "$.members[*].display", "type": "remove" } ] } }If the displayName attribute in the source system transformation does not provide group e-mails, you can modify the transformation the following ways:
-
Map email to another attribute that contains a unique group e-mail.
-
Concatenate the displayName attribute with your domain. For example:
{ "sourcePath": "$.displayName", "targetPath": "$.email", "scope": "createEntity", "functions": [ { "type": "concatString", "suffix": "@test.myaccount.ondemand.com" } ] }
-
-
Connect the external consumer to Identity Provisioning with the technical user you have created in step 2.
If the external consumer system is SAP Identity Management, you can export the newly created proxy system as a SCIM repository from Identity Provisioning and import it in SAP Identity Management. This will create a SCIM repository in SAP Identity Management where most of the repository constants will be automatically filled in. You need to provide the technical user credentials that you have set up in step 2 and the SCIM assignment method as described below:
-
For AUTH_USER and AUTH_PASSWORD, enter your client ID and secret.
-
For the SCIM_ASSIGNMENT_METHOD constant, make sure the value is PUT.
-
For AUTH_USER and AUTH_PASSWORD, enter the user ID and password of the Identity Authentication technical user for which you have set permission Access Proxy System API.
-
For the SCIM_ASSIGNMENT_METHOD constant, make sure the value is PUT.
For external consumer systems, other than SAP Identity Management, you should also use the PUT method for modifying entities.
-
When a proxy system is connected to an external backend system (in the case of SAP Identity Management this means the exported CSV file is imported into the Identity Management Admin UI and a repository is configured), you can start managing the users and groups into this external system. Usually, the first operation is the initial load of the existing entities into your external system. When this load has finished, changes in the external system, such as creating new users or updating existing ones, can trigger CRUD requests back to the proxy system.
To see an example with SAP Identity Management, see Hybrid Scenario: SAP Identity Management → sections Next Steps and Future Identity Lifecycle.
Effective September 2020, Shanghai (China) tenants that reside on SAP BTP, Neo environment can be only accessed on the following domain:
dispatcher.cn1.platform.sapcloud.cnSo make sure you use the correct domain when you construct your REST API requests.
For example: GET https://ipsproxyabcd12345-xyz789.dispatcher.cn1.platform.sapcloud.cn/ipsproxy/api/v1/scim/bbb111aa-1234-aaaa-7777-1234567abcde/Users/s123456789
To learn more, see: Proxy Systems