In Google Workspace admin console, we can configure SSO for applications, and assign user groups to the application.
The group assignment can be checked using the following way:
https://support.google.com/a/answer/9050643?hl=en#step5&zippy=%2Csee-the-services-and-organizational-units-for-access-groups%2Cstep-check-service-access
Is there any api to retrieve this group assginment information?
I don't see any in Google Workspace Admin API.
Answer:
There's currently no API in Admin SDK that will retrieve this information.
Feature request:
If you're interested in this feature, I'd suggest you to request it on Issue Tracker using this template.
Related
I can obtain the information about each user for the given Google Workspace organization using the following endpoint:
GET https://admin.googleapis.com/admin/directory/v1/users
However, the licensing information is missed in the response. How can I get the list of all active subscriptions for the given Google Workspace user?
I am using a Google Cloud Project to automate the creation of some users inside of our organization. I have been using some API's that are hosted using the Google Cloud and have had no problem authenticating and using the API's, however I am not sure if I should be using a service account for this. I am currently using the Google Drive API, the Google Admin SDK(Directory API), the Sheets API, and the Docs API to create some accounts and manage an error log.
What I am asking is, should I be creating a service account to use the API's or is my own personal Google Workspace account okay for creating these? Is there a site/video/something that can guide me in the right direction if I do need to create a service account. I personally would rather have all of the automation using a service account for authentication, but the only videos and tutorials I found on using the service accounts are trying to use resources pertaining to Cloud Computing and service accounts that are impersonating other service accounts.
Using a Service Account is the best course of action for security reasons when you are the one giving authorization and authentication to your organization.
It is identical to granting access to any other identity to allow a service account access to a resource. For instance, suppose you only want an application that runs on Compute Engine to be able to generate items in Cloud Storage.
As a result, instead of managing each and every one of your users, you may limit and manage service accounts, assign certain roles to specific users or groups, and keep track of them because several service accounts can be created in a project.
Since you use Google Workspaces, I also advise you to read the shared documentation posted in the comments by #John Hanley.
I have an application that can manage Google Calendar within the Google Workspace of the company. The application contains more than one company.
I want to use domain-wide delegation. As described here or here admin of the workspace needs to add service account id and scope manually.
Is the way to do this programmatically?
After some research and also looking into Google Workspace's Admin SDK documentation here and here this does not seem to be an available option at the moment.
You may want to submit a feature request here for that.
For service or local applications, the admin has to manually generate the service account and grant this service account with domain-wide authorization. There is no way to do this programmatically (unless for pure SaaS applications).
I'm building an appengine app that requires access to the Google Play Developer API. I've seen in the sample code that it's possible to authenticate using a service account in addition to Oauth.
Is there any chance this could work with the default service account without having to generate a json key ? That would make the setup a bit easier.
Edit: be more explicit about not using a json key but really using the default application credentials instead.
For App Engine Standard environment:
You can generate a Service Account key file from default service
account. Follow the link sample code you provided, then click on
the link shown in the "Getting Started" section, you'll get in
the Google Developer Console. If logged in with the correct account
(you should see your project name at the top), then go to Credentials
-> Create credentials -> Service Account key. In the service account dropdown list, choose "App Engine Default Service Account", choose
JSON as key type and you should be good to go to follow the last
instructions on the Github page.
For App Engine Flexible environment:
The default service account isn't listed in the Service Account page, as explained here. You can't generate a service account key with it. You'd need to use a custom service account.
I volunteer at a small local school that teaches data science and I'm trying to understand the procedure behind federated logins, but the Amazon documentation isn't helping and their forums don't seem interested.
We'd like for the students to be able to sign in to our AWS environment using either Facebook, Google, or Amazon.com, instead of manually trying to create a user for everyone who signs up.
The main thing that's unclear is how the students should sign in. Do we need to create a custom webpage using the provided javascript or .net code? We would have to contact our web developer if so. Or do we use the provided domain name? (in this case, https://weclouddata.auth.us-east-1.amazoncognito.com) This comes from the Cognito user pools though, and doesn't seem like it would apply. Besides, when I use it in conjunction with the Google client ID, I get an "invalid request" error.
You can create a custom app "Identity Broker" to create a URL that lets users sign in with Facebook/Google credentials and securely access the AWS Management Console. The broker would perform the following steps:
Verify that the user is authenticated by identity system(Facebook or Google) or use AWS Congnito.
Call the AWS Security Token Service (AWS STS) API operations to obtain temporary security credentials for the user.
Construct a URL for the console that includes the token and redirects the user to the URL on the user's behalf.
Amazon Cognito lets you to easily create customizable UI to sign in users and provides built-in federation with Facebook, Google, Login with Amazon. So you don't have worry about authentication and concentrate building your actual logic(above steps)
Here is a sample app from AWS that shows how to implement a single sign-on solution with C# and windows AD.
Python Code:
Here is the python code on how to construct the console login URL. I have used the sample python code from AWS and 'Hello world' flask app. When you hit the URL it should redirect to the console login, you can set permission using IAM role.
You can provide any login mechanism (Facebook, Google, Amazon etc) to create student account first time.
Ask user to create account using any app login (Facebook, Google, Amazon etc)
On successful login, create user in AWS using https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateUser.html API.
Add newly created user in the group https://docs.aws.amazon.com/IAM/latest/APIReference/API_AddUserToGroup.html
You can create the user group with some specified roles and give permission (Launch EC2 Instances, Access to DynamoDB etc) accordingly.