Many of the Directory API calls require a customer parameter referred to as the "Immutable id of the Google Apps account. (string)".
e.g. GET https://www.googleapis.com/admin/directory/v1/customer/customer/domains
I have no idea how to find/generate this for my Google Apps account. I am an admin.
Can someone point me in the right direction please?
I was able to find the customerId as follows
Go to admin.google.com
Security -> Set up single sign-on (SSO)
You will see URLs like this:
https://accounts.google.com/o/saml2/idp?idpid=Cxxxxxxxx
That Cxxxxxxxx is your customerId
Had the same question, so I had to contact their chat support.
The official answer was:
There are no any web interface to look up this information - as I would expect for example in "organisation admin panel". The only way to get this information is from the code.
You have to write extra code to request information about any existing user:
(Link to API Docs - GET: https://www.googleapis.com/admin/directory/v1/users)
And in the response, you can find field customerId which is the same for each user in the company across all domains.
That is the only way to find your organisation customerId...
Not user-friendly, so I will submit "Feature Request" right now to Google.
The easiest way I found was to use the APIs Explorer at the bottom of the documentation for the Customers: get method on the Directory API (Admin SDK). Enter 'my_customer' for the customerKey on the form and hit the 'Authorize and Execute' button.
The response will include the CustomerId (e.g. Cxxxxxxxx) as the "id". The entire response will look something like this:
{
"kind": "admin#directory#customer",
"id": string,
"etag": etag,
"customerDomain": string,
"alternateEmail": string,
"postalAddress": {
"organizationName": string,
"countryCode": string,
},
"language": string,
"customerCreationTime": datetime
}
If you are part of an organization, you can find it here as Organization ID: https://play.google.com/work/adminsettings?pli=1
It works for G Suite accounts and Gmail accounts that are associated with an organization, but not for individual Gmail accounts.
I found something simpler: gcloud organizations list. It will give you DISPLAY_NAME, ID and DIRECTORY_CUSTOMER_ID (this is what your are looking for) for all you organizations.
Related
I have some applications served to my company users on EKS (i.e., Jenkins). In company we use Google Workspaces (GSuite) for email and stuff. So I want to allow users to login with Google creds to those applications I serve. I figured out I could use Cognito to achieve it but I cannot connect those and flow end with Google showing 403. Error: app_not_configured_for_user. In their documentation I can find:
Verify that the value in the saml:Issuer tag in the SAMLRequest matches the Entity ID value configured in the SAML Service Provider Details section in the Admin console. This value is case-sensitive.
but how do I debug it? I do not see a logs from neither AWS and Google sides :/
I think I followed all possible guides and I cannot find what I'm doing wrong. I found that Google has this page but they do not provide exact scenario for AWS Cognito. Anyways all of those are very similar so I guess I shouldn't have problems, but I do have.
What I did:
In Google Admin (one for workspaces) I created "Web and mobile app" of SAML type
I downloaded metadata file
In AWS Cognito console I created User Pool
I created IdP provider and uploaded metadata file there
I created application client
Using those values I filled fields ACS URL and Entity ID in Google Admin using values:
ACS URL: https://my-domain-i-just-created.auth.us-east-1.amazoncognito.com/saml2/idpresponse
Entity ID: urn:amazon:cognito:sp:us-east-1_myPoolId
I also selected Name ID format to be Persisted
In attribute mapping I mapped email value to http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress.
In AWS Cognito I enabled HostedUI and also created mapping of http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress to email field.
And now when I click View Hosted UI in AWS console it will redirect me to Google authentication and after it directly to before mentioned 403 app_not_configured_for_user page.
I tied it 3 times with slightly different configurations of mapping, signed responses, etc. but nothing gets me past that error.
Anyone tried to integrate it?
How to troubleshoot the 403 app_not_configured_for_user error related to SAML apps from the Google Workspace Admin console
The first thing you need to do is to grab a HAR file recording the whole login process and find the SAML request. Steps can be found here.
Once you get the file you can open it using that tool and search for SAMLreq at the top right (see image).
After that you will get a list of values containing information. You will have to check one by one until you find the one that has the SAML request in the request tab (see example below).
Once you get the value from the SAML request, copy it and you can use this tool to do a SAML decode and find the entity ID. You can use Ctrl + F and search for saml:Issuer to find the value faster. If the value does not match, then you know you have an error and you will need to contact the support team from the app to see which value is the correct one.
In case the value matches I would recommend opening a ticket to check with Google.
Does anybody know if I can make a request to create or a sign up a user in AWS Cognito user pool?
For example, something like below is to display the login screen.
But is there a POST request or endpoint I can call to create a user?
I tried looking through their documentation but no look finding anything concrete.
Keep in mind, if it possible I would like to populate a value for a custom attribute I created.
This is the main reason why I am looking for an endpoint because I cannot seem to find a way to populate the value for a custom attribute via the AWS interface.
So technically I do not need an endpoint if it is possible to populate a custom attribute per user in AWS.
GET https://mydomain.auth.us-east-1.amazoncognito.com/login?
response_type=code&
client_id=ad398u21ijw3s9w3939&
redirect_uri=https://YOUR_APP/redirect_uri&
state=STATE&
scope=openid+profile+aws.cognito.signin.user.admin
It looks like what you need is https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminCreateUser.html or https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SignUp.html. As far as I'm aware, there is no way to prepopulate the attribute on the Cognito hosted UI. You did not specify what programming language you are using, but at the bottom of the page there are links to documentation with examples for different SDKs. The difference between these two approaches is discussed here: https://docs.aws.amazon.com/cognito/latest/developerguide/signing-up-users-in-your-app.html. So in this case, AdminCreateUser corresponds to option 3 and SignUp to option 1. The difference is mainly in whether or not the user will receive an invite. Also, for AdminCreateUser Cognito will generate a temporary password and require user to enter a new password the first time they log in.
Body
{
"ClientId": "test",
"Password": "Qwerty123",
"UserAttributes": [
{
"Name": "email",
"Value": "test#test.com"
}
],
"Username": "test#test.com"
}
Headers
URL
POST https://cognito-idp.eu-west-1.amazonaws.com/ HTTP/1.1
I have an Angular 5 app where I need to grab some data from my ad accounts via a Business Manager account that I have been made an admin of. I'm having trouble figuring out which API documentation I need to follow and which endpoints to call.
I'm just trying to figure out how to get data from the Graph API Explorer that Facebook provides and when I try something like this:
/v2.12/<business-account-id>/adaccounts I get an error:
{
"error": {
"message": "(#12) adaccounts field is deprecated for versions v2.11 and higher",
"type": "OAuthException",
"code": 12,
"fbtrace_id": "AV2JHORP+bN"
}
}
I have all the correct permissions set with my access token, though I'm not sure what to call to get that data. There are a lot of different API docs and I'm not sure which ones to follow.
Has anyone run into this as well?
I recently wrote a blog post explaining in-depth how to do this, and here is a brief overview:
Ad Accounts Owned by Your Business
To get the list of ad accounts that your Business account owns, you can make a call to the following URL:
/<API_VERSION>/<BUSINESS_ID>/owned_ad_accounts
Read more at: https://developers.facebook.com/docs/marketing-api/businessmanager/assets
Ad Accounts Owned by Your Clients
You can pull all ad accounts owned by other Business accounts by using the client_ad_accounts edge:
/<API_VERSION>/<BUSINESS_ID>/client_ad_accounts?fields=id,name,business
Requesting the business field will give you information about the Business that is sharing the ad account to you.
(Thanks to user skinnyas123 for reminding me about the new edge to get clients' ad accounts! I began using it awhile back and forgot to update this answer.)
Last week I followed the steps in the "How to configure single federated login to AWS using Google Apps" tutorial, and everything went as expected. Yesterday (2016-12-12) I returned to the panel to use the "Users: patch" Google API to set up new roles for my users based on the Schema SSO created according to the tutorial, but I was not able to execute the request as I had done the previous week.
The following error message is displayed in the "Try this API" panel:
"Found array where value was expected"
Here is an example of the request body as defined in the tutorial (Note - in this example I am using placeholders for the values of the value and customType fields):
{
"customSchemas": {
"SSO": {
"role": [
{
"value": "<my aws role ARN>,<my aws provider ARN>",
"customType": "Developer"
}
]
}
}
}
From what I understand the message is related to the role field.
I would like to understand what changed from the previous week to yesterday and how should I configure the JSON for the "Users: patch" API according to the SSO Schema created the previous week?
I was able to get to the "Freeform" editor and make the changes using this url instead of the one in the AWS documentation. I was having problems getting Postman to authenticate with google, which made this easier.
I had to make some slight changes for this to work.
I followed the steps from this article (same article OP used)
I used this URL to get to the freeform editor (same link as above answer)
In step 4 of the article, which is the step before the question posted by OP above, I used 'SAML' as the schemaName rather than 'SSO'
I then used 'SAML' as the customSchema name in the question above, rather than 'SSO' and repeated the process with different email addresses for other users
Followed the rest of the article and FINALLY my SSO to AWS from g-suite works.
I am trying to use google api with google scripts.
I can get data from google apps for example by:
var result = AdminDirectory.Groups.get(OptionalArgs);
but when i try to do the same with:
var result = AdminDirectory.Groups.aliases.list(OptionalArgs);
I receive
TypeError: Cannot call method "list" of undefined
How can I get and update list of google apps groups aliases using google scripts?
What am I doing wrong with this sample?
The alias property should be capitalised.
var result = AdminDirectory.Groups.Aliases.list(OptionalArgs);
Not knowing what you already have done and what hasn't been done, I suggest that you please check and ensure that you enable advance services before use and as described in the API's prerequisites documentation, the Admin SDK must also be enabled on your domain.
And, to retrieve all group aliases,
use the following GET request and include the authorization described in Authorize requests. The groupKey can be the group's primary email address, the group's unique id, or any of the group aliases' emails. For the request and response properties, see the API Reference:
GET https://www.googleapis.com/admin/directory/v1/groups/groupKey/aliases
Lastly, as also noted, these are editable group aliases in the account's primary domain or subdomains. For group aliases outside of the account, see the group's nonEditableAliases property.
Reading through Google Apps Script Quickstart might also help.