Google G Suite

Note

This feature requires Enterprise Edition.

Genian NAC can use G Suite directories as a source of user and organization information. Through G Suite synchronization, user accounts can be created locally for management or policy use.

The basic operation method uses the Policy Server to access the G Suite workspace and synchronize information using the OAuth Client ID generated in G Suite.

The following describes how to synchronize user and organization information based on G Suite.

Connecting and Testing

To perform a connection test, the following default values must be entered:

Item	Setting Value	Description
Google G Suite	Google Auth Code	The Google authentication code must be inserted in the Data Synchronization details.
	DOMAIN	Enter if synchronizing only for a specific domain within the workspace.
	VIEW TYPE	Select the VIEW from which to read data. admin_view : Administrator privileges domain_public : Public privileges
	Data Source ID	Set when using multiple synchronization configurations.
Policy Server	Google API Client Info | Google API OAuth client ID, key, and redirect URI information must be entered in Settings > Other Settings.

Note

If the connection test is not successful, please first confirm normal communication between the Policy Server and the Synchronization Server.

Note

You can check the Google G Suite guide video via YouTube.

G Suite Prerequisites

OAuth Consent Screen Settings

1. Access https://console.cloud.google.com/ and go to the API & Services menu.

2. In the left panel, go to the OAuth consent screen menu.

3. Select 'External' for User Type, and when a pop-up window appears, select 'Test' and click the Create button.

4. Enter required items such as App Name and click the Save button.

5. In Scope for Information Access, click the Add or Remove Scopes button.

6. In the "Add custom scopes" section below, enter the following 2 lines and click the Update button.

   https://www.googleapis.com/auth/admin.directory.orgunit.readonly
   https://www.googleapis.com/auth/admin.directory.user.readonly
   

7. Click the Save and Continue button.

8. Click the ADD USERS button to add accounts allowed to access the OAuth app. (Used only once for authentication code issuance)

9. Click the Save and Continue button to confirm the configured content and then click Back to Dashboard at the bottom.

User Credentials Configuration (OAuth Client ID)

1. In the left panel, go to the Credentials menu.

2. Click the Create Credentials button at the top and then click OAuth client ID.

3. For Application type, select Web application.

4. In the Authorized redirect URIs section, add the URL below:

   https://developers.google.com/oauthplayground
   

5. Click the Create button.

6. From the creation result screen, copy the Client ID, Client Secret, and Redirect URI.

Registering OAuth Client ID in NAC Management Console

1. Log in to the Policy Server management console.
2. Go to the Settings menu at the top.
3. In the left panel, go to Preferences > Other Settings.
4. Go to the Google API Client ID and Authentication Key Settings section at the bottom.
5. Enter the Client ID, Client Authentication Key, and Authorized Redirect URI, then click the Update button at the bottom.

Configuring NAC Data Synchronization

1. Go to Preferences in the top menu.
2. In the left settings menu, go to User Authentication > Data Synchronization.
3. Click Select Tasks > Create.

General options

1. ID : Enter a unique name.

2. Update Interval : Select a specified time or periodic interval for synchronization.

3. Policy Apply : select Enabled for applying change after Synchronization. If there are several synchronization settings, you can set it to Disabled and enable only the last one.

4. Environment : Input is not required for basic synchronization tasks. However, it is used when defining variable values to be commonly referenced within a separate custom shell script executed for integration with external systems.

   Warning

   Configuration Caution: Incorrect environment variable declarations can lead to malfunctions in the integration script or system errors. Before configuration, please ensure that the variables are correctly processed within the script.

   Usage Scenario: Log Level Control Used when you want to control simple operation options such as Log Level or Retry Count during external script execution.

   export LOG_LEVEL='ERROR'
   

5. Query : Enter the SQL query to be executed immediately after information synchronization is complete. This is used when secondary processing is required based on specific conditions using the synchronized information.

   Warning

   Risk of Data Loss: This feature directly affects the database. In particular, the use of UPDATE or DELETE statements may result in irreversible data loss.

   Usage Scenario: Account Lock Processing based on Employment Status Used when you want to automatically disable the NAC account of resigned (or on-leave) employees according to the 'Employment Status' code after information synchronization.

   Prerequisites 1. Create a field to manage employment status (e.g., USER_CUSTOM08) in [Settings] > [Property Management] > [Custom Fields] > [User Custom Fields]. 2. Assign the user custom field created in step 1 to [Additional Info] under [User Information] in [Information Synchronization].

   Writing Example If the value of USER_CUSTOM08 is '001' (Resigned/On-leave, etc.), update USER_STATUS to '0' (Disabled).

   UPDATE USER
   SET USER_STATUS = 0
   WHERE USER_CUSTOM08 = '001';
   

Database options

1. DB Type: Google G Suite
2. Google Auth Code: Enter the code for authentication of the synchronization execution account. Click the Get Google Auth Code button at the top, then log in to the account and click the Allow button in the pop-up window, then copy the displayed Authorization code and enter it. (Close the pop-up window.)
3. DOMAIN: If a domain is entered, only information for that domain will be synchronized. If not entered, information for all domains to which the account belongs will be synchronized.
4. VIEW TYPE: Select the data synchronization scope based on permissions. Generally, select admin_view for accounts with admin privileges, and domain_public otherwise.

User Information options

1. User Table Name: Enter users.
2. User ID Column Name: Enter primaryEmail.
3. User Name Column Name: Enter name/fullName.
4. Department ID Column Name: Enter orgUnitPath.

Department Information options

1. Table Name: Enter orgunits.
2. Output Sort Order: To sort by department name, enter @NAMEPATH.
3. Department ID Column Name: Enter orgUnitId.
4. Department Name Column Name: Enter name.
5. Parent Department Column Name: Enter parentOrgUnitId.
6. Click the Create button.

Attention

G Suite does not provide the password attribute when using the API, so user passwords cannot be synchronized. Therefore, a separate integration must be configured. Refer to SAML 2.0 in Integrating User Directories.