This project is read-only.

Setup instruction

Before using this MA, you must prepare as following.

  • Register API client for target application.
  • Grant proper permission to the API client.
  • Setup Generic REST MA using setup.exe.
  • Create and configure MA and Run Profile in FIM Synchronization Manager.
  • Create Synchronization Rules, Action Work Flows, Management Policy Rules, SETs etc in FIM Service.

 

Following instructions are example configurations of connectivity for Google Apps.

Register an API client

1) Logon to Google Developers Console: https://console.developers.google.com

clip_image002

2) On the top right corner click on Select a project and then Create a project…

clip_image004

3) Type “MIMMA” on the name of the project and click Create

PS.: The name of the project will be displayed on the top right corner.

clip_image005

4) On the search box, type Admin SDK

clip_image007

5) Click on Admin SDK e click Enable

PS.: It’s not required to fill the Credential at that moment.

clip_image009

6) Click on Credential menu on the left side;

clip_image010

7) On the follow window, click on Create Credentials and select Service account key

clip_image011

8) On the Service account select Compute Engine default service account and on Key type choose P12 and click Create.

clip_image013

9) Save the file MIMMA-d9965259a698.p12

PS.: The name of the certificate file is different for each environment.

clip_image015

10) Take note of the private key password and click Close on the following window

PS: The default password is always “notasecret”.

clip_image016

11) Click on Manage service accounts on the right side

clip_image018

12) Select the Service account name Compute Engine default service account click clip_image020 and click Edit

PS.: Take note of the Service account ID - 708267977033-compute@developer.gserviceaccount.com

clip_image022

13) On the follow window select Enable Google apps Domain-wide Delegation and click Save

clip_image023

14) Click on Google APIs on the top left side

clip_image024

15) Click on Credentials

clip_image025

16) See the result page

clip_image027

17) At that moment you must have the following information:

Attributes

Value

OAuth 2.0 client ID

108015601142362223154

Service Account ID

708267977033-compute@developer.gserviceaccount.com

Private key password

notasecret

 

 Grant permissions to API client

18) Logon to Google Admin Console: https://admin.google.com

 clip_image001[4]

19) Click on Security

clip_image003

20) Click on Show more

clip_image005

21) Click on Advanced Settings

clip_image007[5]

22) Click on Manage API client access

clip_image009

23) On Client Name type “108015601142362223154” (OAuth 2.0 client ID) and on One or More API Scopes type “https://www.googleapis.com/auth/admin.directory.user,https://www.googleapis.com/auth/admin.directory.group” (without quotes) and click on Authorize.

PS.: Even if you do not sync Groups on MIM, it’s required to add the URL API from the Groups.

clip_image011[7]

24) The result page will show the as following

clip_image013

 

Setup Generic REST MA on FIM Synchronization Server

Execute setup.exe that you can download from this site.

Following files are installed to your system.

path filename description
%ProgramFiles%\Microsoft Forefront Identity Manager\2010\Synchronization Service\Extensions GenericRESTMA.dll Generic REST Management Agent
%ProgramFiles%\Microsoft Forefront Identity Manager\2010\Synchronization Service\Extensions\plugins

Plugin_Google.dll

Plugin library for Google Apps
%ProgramFiles%\Microsoft Forefront Identity Manager\2010\Synchronization Service\UIShell\XMLs\PackagedMAs

GenericRESTMA.xml

MA Package definition file

 

Create and configure Management Agent in Synchronization Manager

Choose 'Generic REST API Management Agent' in MA creating window in Synchronization Manager.

Configure Connectivity as following.

category setting description
Plugin Library Configuration Plugin File Name

set file name of plugin library in full-path.

ex. C:\Program Files\Microsoft Forefront Identity Manager\2010\Synchronization Service\Extensions\plugins\Plugin_Google.dll

OAuth2.0 JWT Parameters Configuration   Subject(sub)

Administrator account name of your Google Apps tenant.

ex. admin@example.com

Issuer(iss)

Email address of service account you created in Google developer console.

ex. foobar@developer.gserviceaccount.com

Private Key File

Private Key file you create and downloaded from Google developer console.

ex. C:\config\foobar.p12

Private Key Password

Password for private key.

'notasecret' for Google API clients.

Proxy Server Configuration  Server Address

If your Synchronization Server using web proxy server to connect internet, provide server address(FQDN or IP address) here.

Username

If your proxy server require authentication, provide username to authenticate.

Password

Provide password for proxy authentication.

25) Before beginning the MIM configuration confirm that you have the following information:

Attributes

Value

MA DLL Path

C:\Program Files\Microsoft Forefront Identity Manager\2010\Synchronization Service\Extensions\plugins\Plugin_Google.dll

Email Admin –

admin@marcelo.hunecke.nom.br

Service Account ID

708267977033-compute@developer.gserviceaccount.com

Certificate path on MIM Server

C:\Logs\MIMMA-d9965259a698.p12

Private key password

notasecret

24) On MIM Google MA configuration complete the Connectivity as following:

clip_image002

 

Configure FIM settings

As usual you should create Run Profiles(currently not support for delta import), Synchronization Rules, SETs, Action Workflows, MPRs.

 

Trouble Shooting

This MA support ETW for tracing.

Add system.diagnostics block to configuration files.

In case of in-process mode, use miisserver.exe.config, in case of out-process mode, use dllhost.exe.config.

    <system.diagnostics>

             <sources>

            <source name="Generic REST MA" switchValue="All">

                <listeners>

                    <add name="Generic REST MA" type="System.Diagnostics.TextWriterTraceListener" initializeData="c:\Logs\GenericRESTMA.log">

                    <filter type="" />

                    </add>

                    <remove name="Default"/>

                </listeners>

            </source>

        </sources>

    </system.diagnostics>

 

History

  • 21th June, 2016 : update procedure for Google API console. Thanks Marcelo Hunecke!!

Last edited Jun 21, 2016 at 2:07 PM by naohiro, version 6