To respect the access permissions of items from a third-party repository, Google Cloud Search needs to map identities between the repository and Google Accounts. For example, in a database, a user might have the username [email protected]. That username needs to map to a Google Account, such as [email protected].
To manage this mapping, create an identity source in Cloud Search. The identity source lets a developer map user accounts from the third-party repository to Google Accounts. Learn how a developer can sync different identity systems.
Before you begin
- Ask your developer for a service account ID with access permissions to the Google Workspace Admin SDK and Cloud Identity API.
- Add a data source to search. You need to add at least one data source before you can create an identity source.
1. Create an identity source
To map third-party usernames to Google Accounts, create an identity source.
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu
Apps
Google Workspace
- Click the Identity sources card.
A list of your organization's identity sources displays.
- In the top left, click Add
.
- Enter a name in the Identity Source Name text line.
- Click Add Service Account.
- Enter the email address of a service account that can access user and group data through the Admin SDK Users API and Cloud Identity API.
Use the email address that was generated for the service account ID when it was created.
- Set the service account’s level of access to the Admin SDK Users API:
- Read/Write—Grants full access permissions to the API.
- Existing—Maintains the permissions already granted to the API.
If the service account was previously granted read/write permissions by another identity source, those continue. If the service account hasn’t already been granted access, it continues to not have access.Note: If the identity source that granted read/write access to the service account gets deleted, the service account loses access. If this identity source needs to use this service account, set the option to Read/Write.
- Set the service account’s level of access to the Cloud Identity API:
- Read/Write—Grants full access permissions to the API.
- Read—Grants Read permissions to the API.
- No access—Prevents access to the API.
- Click Add Service Account.
- Add another service account, or if you're done adding service accounts, click Add Identity Source.
A message displays when the identity source was successfully added and shows the auto-generated identity source ID. Copy this ID and give it to your identity connector developer.
-
Click OK.
After you add the identity source, it appears in the list of identity sources. Your developer needs the identity source ID for Google APIs to access the user and group data.
Tip: To copy the identity source ID to your clipboard, click Copy .
2. Import third-party accounts into Google Workspace
When you create an identity source, Cloud Search adds a custom attribute to all your Google user accounts. This custom attribute is where you store the third-party account ID that maps to the Google Account.
To see this custom attribute in the Admin console:
- Go to Users.
- In the top right, click Manage custom attributes
.
Important: Don't modify this custom attribute. If you change its name or any of its fields, Cloud Search won't work properly.
To import the third-party usernames into the custom attribute field, use one of these methods:
Import to all accounts at once using an identity connector
Import to all accounts at once using the Cloud Identity API
Import to individual accounts using the Google Admin console
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
- In the Admin console, go to Menu
Directory
- On each user’s account page, under Manage user attributes, click Edit.
- in the custom attribute field, add the third-party username that maps to the Google Workspace user account.
- Click Update User.
3. Find your organization's customer ID
To set up an identity connector, your developer needs the customer ID of your Google Account to include in the connector’s properties file.
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu
Security
You must be signed in as a super administrator for this task.
- Next to SSO URL, find the idpid value at the end of the URL. The value after the C is your customer ID.
For example, in the following URL, the customer ID is 0123tvz4:
https://accounts.google.com/o/saml2/idp?idpid=C0123tvz4
Next Step
Give the identity source ID and your customer ID to the developer who can sync different identity systems.
Edit or delete an identity source
Edit an identity source
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu
- Click the Identity sources card.
- A list of your organization’s identity sources displays.
- Point to the identity source you want to update and click Edit
.
- In the identity source window, select the item you want to change:
- To update an existing service account, point to the service account and click Edit
You can change the service account name and access permissions. - To add a new service account, click Add Service Account.
- To update an existing service account, point to the service account and click Edit
- Click Edit Identity Source.
Delete an identity source
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu
- Click the Identity sources card.
- A list of your organization’s identity sources displays.
- Point to the identity source you want to remove and click Delete
.
- In the warning window, click Delete.
Important: If you delete an identity source, Cloud Search also deletes all of its associated data. This includes all of its custom user data and groups.
