I finished logging in API-M via google credential.
I use Just-In-Time provisioning to provision user with google profile, but I can't customize the claim.
While the user is provisioned, the user ID is always the email, but what I need is account id (sub).
I try to remove the email from scope, the user ID will be account id(sub), but I won't get email anymore.
Thanks
Tom
You have to add sub as subject attribute in both IDP and SP configurations.
Then it will pick as subject for JIT provisioning.
Thanks
Isura
Related
I am very new to GCP and need some help on how to access GCP project.
I have an assessment given by an employer to install an application in GCP. I am provided with a company "non Gmail" emailID/password, and a link to the project. I have looked for resources online but do not know how to access this project. when I try to access via browser using this email, I get an error saying this is not Gmail id. Can someone guide me how I can access a gcp project with non Gmail id? I appreciate your help.
Access your google project:
[ INSERT project link: https://console.cloud.google.com/home/dashboard?project=single-project ]
Username: user#companyname
Password: *******
Update:
The user name had a typo and I was provided with correct user details later.
You cannot access the GCP Projects with non-gmail Id unless it is associated with Google Workspace or Cloud Identity account.
If the email doesn't work, the company probably didn't add the email account to the Google Project (IAM Roles), or the email is not registered with a Cloud Identity. You can only log into the GCP console using Google's credentials , and for that you need a google user account. If your account is a company email account, the admin has to create the user on their identity.
Refer to the link for accessing a gcp account .
EDIT:
As #syed fayaz said, also we need to check whether we have any typing error in credentials.
I have some difficulty to make work impersonate user with service account on Google Calendar API.
For give service account right on calendar, i created calendar with SA account for give it the full access rights.
I'm trying to add an event with any user of domain.
I'm setting to $client with impersonate user :
putenv("GOOGLE_APPLICATION_CREDENTIALS=JSON_CREDENTIAL_SA_FILE);
$client = new Google_Client();
$client->useApplicationDefaultCredentials();
$client->authorize();
$client->addScope([Google_Service_Calendar::CALENDAR]);
$client->setSubject(EMAIL USER TO IMPERSONATE);
But when i'm trying to add an events
$event = new \Google_Service_Calendar_Event($EventObj);
$event = $service->events->insert($AgendaID, $event);
GG Api return is "A service error occurred | reason:NotFound", it seems that user used can't found SA calendar ID.
Calendar ID ids not share with user used.
In Google Cloud Plateform, i created the service account and add delegation domain checkbox.
On IAM panel, email of service account is Owner. I gave to user used in my project role Service Account Token Creator or owner to try but same issue like describe here
On Google Admin, I gave to ID Service Account Scope needed in Security => API Command => https://www.googleapis.com/auth/calendar
I was thinking that when using setSubject, it's like using SA but like a user.
Insert work if i comment $client->setSubject(EMAIL USER TO IMPERSONATE);
I really don't understand why can't used any user of domain to write on SA Calendar.
Did i miss a configuration on google cloud plateform or google admin ?
Thanks for your help.
Using Google Cloud, there exists a BigQuery View table that queries two projects.
However, on the project where the view is located, we wish to run a query against it from Airflow/Composer. Currently it fails with a 403.
AFAIK it will use the default composer service account - however it doesn't have access to the 2nd project used in the sql of the view.
How do I give composer's service account access to the second project?
Think about a service account like a user account: you have a user email that you authorize on different project and component. Exactly the same thing with the service account email.
The service account belongs to a project. An user account belongs to a domain name/organisation. No real difference at the end.
So, you can use a service account email like any user accounts:
Grant authorization in any project
Add it in Google Groups
Even grant it viewer or editor role on GSuite document (Sheet, Docs, Slides,...) to allow it to access and to read/update these document!! Like any users!
EDIT
With Airflow, you can defined connexions and a default connexion. You can use this connexion in your DAG and thus use the service account that you want.
I think you have to add the service account into project IAM.
After Cleaning my system and re-installing chrome, I realized that only my primary google account and password data was saved, and can not remember the email address I used for my GCP login. I have found some Oauth information used, including project Id, Client Id, Client secret, Dev Key, and certs. Is there a way to utilize those pieces of information to retrieve the email address associated with that GCP account?
You can contact Google Cloud Support calling the phone 1-855-817-0841, this could be the easiest way to get help in this case. If you have a support role you may be able to demonstrate that you are the owner of the project and in this way get some help with this.
Another alternative is using any other account authorized in your project. If you added another member of your team as editor i.e. he can access and see the authorized accounts through the IAM menu.
we would keep our user base in WSO2IS internal repository and we would like to provision users to an Active Directory ldap following our workflow, like Midpoint Evolveum or Apache Syncope do.
The use case is this: we have a new user, mr. Foo.
He has a role in the company:
external user: he is added to WSO2IS and he can access webmail (webmail server uses some protocol to communicate to WSO2IS)
internal user: he is added to WSO2IS, then WSO2IS provisions Foo to the company Active Directory.
Is it possible with WSO2 Identity Server?
Thanks,
Mario
WSO2 IS has rule based provisioning, where you can define rules to which User Store a user can be provisioned.
What you need to do is to set an attribute on the new user, which signifies the user is internal or external, after execution of your workflow. Then this attribute can be evaluated at XACML level to do the selective provisioning.
Following links might help.
Rule Based Provisioning
Workflow Management