Google G Suite

Note

This feature requires Enterprise Edition.

Genian NAC can use G Suite directories as a source of user and organization information. Through G Suite synchronization, user accounts can be created locally for management or policy use.

The basic operation method uses the Policy Server to access the G Suite workspace and synchronize information using the OAuth Client ID generated in G Suite.

The following describes how to synchronize user and organization information based on G Suite.

Connecting and Testing

To perform a connection test, the following default values must be entered:

Item	Setting Value	Description
Google G Suite	Google Auth Code	The Google authentication code must be inserted in the Data Synchronization details.
	DOMAIN	Enter if synchronizing only for a specific domain within the workspace.
	VIEW TYPE	Select the VIEW from which to read data. admin_view : Administrator privileges domain_public : Public privileges
	Data Source ID	Set when using multiple synchronization configurations.
Policy Server	Google API Client Info | Google API OAuth client ID, key, and redirect URI information must be entered in Settings > Other Settings.

Note

If the connection test is not successful, please first confirm normal communication between the Policy Server and the Synchronization Server.

Note

You can check the Google G Suite guide video via YouTube.

G Suite Prerequisites

OAuth Consent Screen Settings

1. Access https://console.cloud.google.com/ and go to the API & Services menu.

2. In the left panel, go to the OAuth consent screen menu.

3. Select 'External' for User Type, and when a pop-up window appears, select 'Test' and click the Create button.

4. Enter required items such as App Name and click the Save button.

5. In Scope for Information Access, click the Add or Remove Scopes button.

6. In the "Add custom scopes" section below, enter the following 2 lines and click the Update button.

   https://www.googleapis.com/auth/admin.directory.orgunit.readonly
   https://www.googleapis.com/auth/admin.directory.user.readonly
   

7. Click the Save and Continue button.

8. Click the ADD USERS button to add accounts allowed to access the OAuth app. (Used only once for authentication code issuance)

9. Click the Save and Continue button to confirm the configured content and then click Back to Dashboard at the bottom.

User Credentials Configuration (OAuth Client ID)

1. In the left panel, go to the Credentials menu.

2. Click the Create Credentials button at the top and then click OAuth client ID.

3. For Application type, select Web application.

4. In the Authorized redirect URIs section, add the URL below:

   https://developers.google.com/oauthplayground
   

5. Click the Create button.

6. From the creation result screen, copy the Client ID, Client Secret, and Redirect URI.

Registering OAuth Client ID in NAC Management Console

1. Log in to the Policy Server management console.
2. Go to the Settings menu at the top.
3. In the left panel, go to Preferences > Other Settings.
4. Go to the Google API Client ID and Authentication Key Settings section at the bottom.
5. Enter the Client ID, Client Authentication Key, and Authorized Redirect URI, then click the Update button at the bottom.

Configuring NAC Data Synchronization

1. Go to Preferences in the top menu.
2. In the left settings menu, go to User Authentication > Data Synchronization.
3. Click Select Tasks > Create.

General options

1. ID: Enter a unique name.
2. Update Interval: Select a specified time or periodic interval for synchronization.
3. Policy Application Status: Select Apply to reflect changes after synchronization. If there are multiple synchronization settings, you can set to Do not apply and use only the last synchronization.

Database options

1. DB Type: Google G Suite
2. Google Auth Code: Enter the code for authentication of the synchronization execution account. Click the Get Google Auth Code button at the top, then log in to the account and click the Allow button in the pop-up window, then copy the displayed Authorization code and enter it. (Close the pop-up window.)
3. DOMAIN: If a domain is entered, only information for that domain will be synchronized. If not entered, information for all domains to which the account belongs will be synchronized.
4. VIEW TYPE: Select the data synchronization scope based on permissions. Generally, select admin_view for accounts with admin privileges, and domain_public otherwise.

User Information options

1. User Table Name: Enter users.
2. User ID Column Name: Enter primaryEmail.
3. User Name Column Name: Enter name/fullName.
4. Department ID Column Name: Enter orgUnitPath.

Department Information options

1. Table Name: Enter orgunits.
2. Output Sort Order: To sort by department name, enter @NAMEPATH.
3. Department ID Column Name: Enter orgUnitId.
4. Department Name Column Name: Enter name.
5. Parent Department Column Name: Enter parentOrgUnitId.
6. Click the Create button.

Attention

G Suite does not provide the password attribute when using the API, so user passwords cannot be synchronized. Therefore, a separate integration must be configured. Refer to SAML 2.0 in Integrating User Directories.