Fact

• PhenixID Automatic Account Manager, called AAM
• PhenixID Identity Provisioning, called Provisioning
• Platform: Any supported

System Requirements

Account in Google Apps

Situation

Set up service account and credentials to use provisioning actions in AAM.

Solution

Create Service Account

To interact between AAM and Google Cloud Storage, you need a private key and other service-account credentials. To generate these credentials, or to view the email address and public keys that you’ve already generated, do the following:

1. Go to the Google Developers Console, https://console.developers.google.com/
2. Select a project, or create a new one called AAM Provisioning.
3. Click on the project.
4. In the sidebar on the left, expand APIs & auth. Next, click APIs. In the list of APIs, make sure the API ‘Admin SDK’ is enabled. You can see this by using the link “Enabled APIs”.
5. In the sidebar on the left, select Credentials.
6. To set up a new service account, do the following:
   1. Under the OAuth heading, select Create new Client ID.
   2. When prompted, select Service Account and click Create Client ID.
   3. A dialog box appears. To proceed, click Okay, got it.

If you already have a service account, you can generate a new key by clicking the appropriate button beneath the existing service-account credentials table.

To use the Google Provisioning actions in AAM the private key is required. Google does not keep a copy of this private key, and this screen is the only place to obtain this particular private key. When you click Download private key, the PKCS #12-formatted private key is downloaded to your local machine. As the screen indicates, you must securely store this key yourself.

The name of the downloaded private key is the key’s thumbprint. When inspecting the key on your computer you need to provide the password notasecret. Note that while the password for all Google-issued private keys is the same (notasecret), each key is cryptographically unique.

You can generate multiple public-private key pairs for a single service account. This makes it easier to update credentials or roll them over without application downtime. However, you cannot delete a key pair if it is the only one created for that service account.

Delegate Authority to the Service Account

The service account that you created now needs to be granted access to the Google Apps domain’s user data that you want to access. The following tasks have to be performed by an administrator of the Google Apps domain:

1. Go to your Google Apps domain’s Admin console, http://admin.google.com/
2. Select Security from the list of controls. If you don’t see Security listed, select More controls from the gray bar at the bottom of the page, then select Security from the list of controls.
3. Select Advanced settings from the list of options.
4. Select Manage API Client access in the Authentication section.
5. In the Client name field enter the service account’s Client ID (found in the Google Developer Console).
6. In the One or More API Scopes field enter the suitable scopes, comma-separated:
   1. Users: https://www.googleapis.com/auth/admin.directory.user and https://www.googleapis.com/auth/admin.directory.user.alias and https://www.googleapis.com/auth/admin.directory.userschema
   2. Groups: https://www.googleapis.com/auth/admin.directory.group and https://www.googleapis.com/auth/admin.directory.group.member
   3. OrgUnits: https://www.googleapis.com/auth/admin.directory.orgunit
   4. Roles: https://www.googleapis.com/auth/admin.directory.rolemanagement
7. Click the Authorize button.

Your service account now has domain-wide access to the Google Drive API for all the users and groups of your domain.