Data provisioning
Prerequisites
When you enable data provisioning, choose the Google Workspace (Template) connector. Enter a unique name for the new connector. If you selected and configured a template connector, the configured template is stored in Omada Identity. When Omada rolls out changes to the template connectors, your configurations remain intact in your own version.
Google Workspace provisioning configuration
In order to configure provisioning to Google Workspace, the following settings should be used:
- Base address - the default value is https://www.googleapis.com/admin/directory/v1
- Authentication type - OAuth2
- URL for Authorization token- https://oauth2.googleapis.com/token OAuth Grant Type -JWT Bearer
- JWT Issuer - service account generated email
- JWT Subject - email of the user authorized to use the API
- JWT Audience - https://oauth2.googleapis.com/token
- JWT Private Key - service account key
- JWT Encryption algorithm - RS256
Scope for JWT Additional claims - can be found here: https://developers.google.com/identity/protocols/oauth2/scopes However, the default queries and mappings require the following claims:
- https://www.googleapis.com/auth/admin.directory.group
- https://www.googleapis.com/auth/admin.directory.group.readonly
- https://www.googleapis.com/auth/admin.directory.group.member
- https://www.googleapis.com/auth/admin.directory.group.member.readonly
- https://www.googleapis.com/auth/admin.directory.user
- https://www.googleapis.com/auth/admin.directory.user.readonly
- https://www.googleapis.com/auth/admin.directory.rolemanagement
- https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly
- https://www.googleapis.com/auth/cloud-platform
- https://www.googleapis.com/auth/apps.licensing
Data model
The data model contains the necessary definitions of properties and object types required for basic provisioning. If you wish to provision to additional properties of, for example, users, you must add the properties to this data model first.
Task mappings
The Google Workspace connector is out of the box supplied with task mappings for Users and Assignments to group.
For the Google Workspace User task mapping you need to supply the field mappings for customerId and domain with your sources.
The customerId can be found in the Google Admin Console (https://admin.google.com/ac/home) under Account Settings.
The default mappings use the technical id of accounts if available. If the technical id is not available, the primaryEmail is used to identify users.