azure ad user provisioning with g suite - google-cloud-platform

We have integrated G suite with Azure AD as an enterprise app and which supports SAML. We are also enabling auto user provisioning means If a user is added on the Azure enterprise app then it should be provisioned on google suite app via auto user provisioned. Now we have added many groups and users but few of them facing this issue. It seems to me azure ad sending the user to google app however when the request reaches to Google suite app they reject it although we have checked request and found it did not reach to google app and throwing an error ?
"Not Authorized to access this resource/api" } ], "code": 403, "message": "Not Authorized to access this resource/api" } } Web Response: { "error": { "errors": [ { "domain": "global", "reason": "forbidden", "message": "Not Authorized to access this resource/api" } ], "code": 403, "message": "Not Authorized to access this resource/api" } } . This operation was retried 0 times. It will be retried again after this date:

Related

Google workspace ADMIN SDK Directory API returns 403

I am trying to access below API (in browser Try this API) and after entering valid group key, I am getting below error message:
API
https://developers.google.com/admin-sdk/directory/reference/rest/v1/members/list
RESPONSE
{
"error": {
"code": 403,
"message": "Not Authorized to access this resource/api",
"errors": [
{
"message": "Not Authorized to access this resource/api",
"domain": "global",
"reason": "forbidden"
}
]
}
}
Only domain admins have access to most methods of the Admin SDK
If you authenticate as a domain user without admin rights or a consumer (Gmail) user, you will get the Not Authorized to access this resource/api error when trying to use the members.list.
Same applies to most other methods of the Admin SDK with the excepption of the ones that return only publicly accessable information.

Java - Getting "Not authorized to access the application ID" error in Google Workspace Marketplace API

I have a Google Workspace Marketplace app and want to determine which domains have installed or uninstalled it from my web app (written in Java, deployed on GAE).
I've enabled both GSuite Marketplace API and Google Workspace Marketplace SDK from the console. I'm using the same GCP project I've used to list my marketplace app while calling the relevant google service. But I keep getting the "Not authorized to access the application ID" 403 error. Here is the code:
GoogleCredential googleCredential = new GoogleCredential.Builder()
.setTransport(httpTransport)
.setJsonFactory(jsonFactory)
.setServiceAccountPrivateKey(SA_PRIVATE_KEY)
.setServiceAccountId(SA_ID)
.setServiceAccountScopes(Collections.singletonList("https://www.googleapis.com/auth/appsmarketplace.license"))
.build();
GenericUrl url = new GenericUrl("https://appsmarket.googleapis.com/appsmarket/v2/licenseNotification/" + MY_APPLICATION_ID);
HttpRequestFactory httpRequestFactory = httpTransport.createRequestFactory(googleCredential);
HttpResponse httpResponse = httpRequestFactory.buildGetRequest(url).execute();
return httpResponse.parseAsString();
I tried using the default service account with no luck. The documentation doesn't explain much either. What am I missing? Can anyone point me in the right direction?
error:
{
"error": {
"code": 403,
"message": "Not authorized to access the application ID",
"errors": [
{
"message": "Not authorized to access the application ID",
"domain": "global",
"reason": "forbidden"
}
]
}
}

Domain Not Found

I'm trying to consume this API:https://developers.google.com/admin-sdk/directory/v1/reference/resources/buildings/list?authuser=2
scopes are ok, and also I can get correctly the Token
When I try to list the buildings, this error appears, as API Response body:
[Google_Service_Exception (404)]
{
"error": {
"errors": [
{
"domain": "global",
"reason": "notFound",
"message": "Domain not found."
}
],
"code": 404,
"message": "Domain not found."
}
}
What can it be?
What did you enter on "customer" usually the "my_customer" alias works instead of the domain, it should return something like this with a 200ok.
{
"kind": "admin#directory#resources#buildings#buildingsList",
"etag": "\"zPBZh0CqI7H8js2356iu34gfr/vp6Pfh5j7RvsFk64fdf3eyIC8\"",
"buildings": []
}
Keep in mind that the Admin SDK must be used with a Super Admin of a G Suite account, it cannot be used with consumer gmail accounts. The "Domain not found." is generated when the Admin SDK is executed with a gmail account, check what account you are logged in.
Sometimes there is a problem when you login with different accounts to the browser window. In case of chrome you can have multiple profiles https://support.google.com/chrome/answer/2364824?co=GENIE.Platform%3DDesktop&hl=en that way it will not share cookies and cache since that is usually the problem when using the "Try this API" from Google APIs.
I hope this helps. Greetings.

Permissions error in sandbox mode

I created a sandbox ad account as described in https://developers.facebook.com/ads/blog/post/2016/10/19/sandbox-ad-accounts/. I have generated an access token in the same section that lists my sandbox ad account.
I'm getting a permissions error when I request ad labels for the ad account. Anybody know where I'm going wrong?
Request:
https://graph.facebook.com/v2.8/act_{{adAccountId}}/adlabels?access_token={{accessToken}}
Response:
{
"error": {
"message": "(#200) Permissions error",
"type": "OAuthException",
"code": 200,
"fbtrace_id": "FUB5kNhmuyX"
}
}

Invalid input: domain clientuserinfo is not present

As per the google documentation we ended up creating a service account (since there’s no user intervention and it’s middleware invoking the google api) and associating with the google admin api; We’re able to get a token back which we’re sending to the google api but here’s the response we’re seeing:
GET https://www.googleapis.com/admin/directory/v1/customer/my_customer /devices/chromeos?access_token=y000000000898999(mock token digits)
Response: {
"error": {
"errors": [
{
"domain": "global",
"reason": "invalid",
"message": "Invalid Input: Domain ClientUserInfo is not present"
}
],
"code": 400,
"message": "Invalid Input: Domain ClientUserInfo is not present"
}
}
Any ideas? My thought is that it’s to do with the my_customer as the id.
Using my_customer as the id should work but in this case, since the service account is not related to a domain, you are getting the error.
Admin SDK should be access by the admin of the domain. So in this case if you are using a service account, you should impersonate the domain admin account in order to make a valid call on his behalf.
You can also try this method from the documentation, accessing it as the admin of the domain.