G-Suite IDM Driver v4.2 - Google API Quotas

Posted by Darenji
at Friday, September 04, 2020
Leave a comment!
Labels: , , ,

 Google API Quotas


With the transition from the old Provisioning API to the Directory API via the Admin SDK, Google has introduced and exposed quotas on the various interfaces used by the G-Suite IDM Driver. Some people are seeing quota issues with their driver. This document details how to view your quotas, current usage levels, and how to request more quota from Google, should you need it.

Should you exceed your quota, your G-Suite driver will report this case to the trace log file and shutdown.


Managing Quotas


Your API quotas and current usage can be viewed at any time from your developer’s console: https://console.developers.google.com

Please note that Google can and does change their policies and web interfaces at any time without warning. The information provided here may no longer be correct or current, though we will attempt to keep it up to date.

TIP: Log in with the account used to create the project in the first place.

Select the project which created the credential used by the Google Driver. The overview will give you a snapshot of your usage overall.



From the APIs & Auth section, select APIs, then select Enabled APIs.


Select the Admin SDK. This API provides all services for the driver with the exception of Group Settings and Domain Shared Contacts. Selecting Usage will allow you to see a usage summary over time.


Select "Quotas" to see your current quotas and current remaining quota.




If you have exceeded your quota for requests per day, click the highlighted link to create a request to Google for more daily quota.

You can also go to this URL to directly access the Quota request form for the Admin SDK: https://support.google.com/code/contact/admin_sdk_quota

Clicking the "Change" button allows you to change your per-user limit of 15 requests per user per second, though it is unlikely that the driver will ever exceed this threshold.

For more information on the Admin SDK and quota limits, please see this Google documentation: https://developers.google.com/admin-sdk/directory/v1/limits

[+/-] Read More...

 

G-Suite IDM Driver v4.2 - Common Driver issues

Posted by Darenji
at Friday, September 04, 2020
Leave a comment!
Labels: , , ,

 Common G-Suite Driver Issues



Issue Example and Notes
User Placement. Do not use a leading "\" to place users or Organization Units.

To place a user in the root container, the dest-dn should only contain the Username. If you are placing a user in the G-Suite Sales\Marketing container your dest-dn should look like:


<add class-name="User" dest-dn="Sales\Marketing\ ddare"/>

Organization Units use the same format for dest-dn.
Group Placement: Do not use a placement rule on groups as Google does not support placing groups in organizations.

Groups are not kept in a hierarchical structure. Placement is not relevant to group objects.
Unique naming: It is important that Nicknames, Group names and usernames be unique in the G Suite domain.


When developing a matching rule be sure to check for nicknames and usernames to ensure proper matching. 
Further, naming must be unique across all Google Organization units. 
It is not legal to have Sales\Marketing\myname and Engineering\myname since myname needs to be unique across the domain.
Driver Unable to Start

  1. Are the driver jar files installed and eDirectory restarted?
  1. Have you created the admin account in Google and logged into the web interface at least once?
  1. Examine a level 3 or higher trace log of the driver start up for errors.
Driver Exceeds Quota on requests to specific services.

Google has specific default quotas defined for the various services the driver uses. The quotas limit the total number of requests allowed in a given 24 hour period. 


Once these quotas are exceeded the driver will receive an HTTP 403: Forbidden error. 
Token Response Exception when using Gmail Settings Attributes


The trace will show something like this: 


DirXML Log Event -------------------
Driver: \GLOBAL-DOMINATION\system\driverset1\Google Apps
Status: Fatal
Message: <description>com.google.api.client.auth.oauth2.TokenResponseException: 401 Unauthorized</description>
<exception class-name="com.google.api.client.auth.oauth2.TokenResponseException">
<message>401 Unauthorized</message>
</exception>


This error is due to not authorizing the new Gmail scopes within the Security section of your G Suite domain. Please refer to the following guide to reset the authorized scopes for the service account.
Micro Focus Identity Manager Driver 4.8 : G-Suite Driver v4.2 - OAuth Update
GoogleJsonResponseException error 403 forbidden when accessing Gmail Settings attributes

The trace will show something like this: 


<status level="retry" type="app-connection">
<description>IOException: com.google.api.client.googleapis.json.GoogleJsonResponseException: 403 Forbidden
{
"code" : 403,
"errors" : [ {
"domain" : "usageLimits",
"message" : "Access Not Configured. Gmail API has not been used in project 1233 before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/gmail.googleapis.com/overview?project=1233 then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.", 
"reason" : "accessNotConfigured".

The Gmail API has not been enabled for your G Suite domain. Enable it in your service account's developers console project. 

[+/-] Read More...

 

G-Suite IDM Driver v4.2 - OAuth Update

Posted by Darenji
at Friday, September 04, 2020
Leave a comment!
Labels: , , ,

Updating OAuth Authorizations for the 4.1.3.x release and later


The G Suite IDM connector (Google Driver) release version 4.2 requires updates to the authorized OAuth Scopes and enabled APIs for your service account to work properly.

Authorized Scope List


This is the complete authorized scope list as of this release:-


https://www.googleapis.com/auth/admin.directory.group
https://www.googleapis.com/auth/admin.directory.group.member
https://www.googleapis.com/auth/admin.directory.orgunit
https://www.googleapis.com/auth/admin.directory.user
https://www.googleapis.com/auth/admin.directory.user.alias
https://www.googleapis.com/auth/admin.directory.user.security
https://www.googleapis.com/auth/admin.directory.userschema
https://www.googleapis.com/auth/userinfo.profile
https://www.googleapis.com/auth/userinfo.email
http://www.google.com/m8/feeds
https://www.googleapis.com/auth/contacts.readonly
https://www.googleapis.com/auth/apps.groups.settings
https://www.googleapis.com/auth/admin.directory.rolemanagement
https://www.googleapis.com/auth/gmail.settings.basic
https://www.googleapis.com/auth/gmail.settings.sharing
https://www.googleapis.com/auth/gmail.labels

[+/-] Read More...

 

Access Gateway and SNI support

Posted by Darenji
at Friday, August 28, 2020
Leave a comment!
Labels: , ,

Access Gateway and SNI support

Introduction


Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) protocol by which a client can mention which hostname it is attempting to connect to at the start of the TLS handshaking process. This enables the server to select the correct virtual domain and corresponding TLS certificate at the very beginning of the process of establishing secure communication with the client.

The purpose of this document is to help users enabling SNI and getting benefits of it in secure TLS communication of Access Gateway (AG) (pre NAM 5.0). There are two such channels available at AG.

  1. Between browser and AG.
  2. Between AG and backend webserver.


[+/-] Read More...
Read more »

 

Deprecation for IDM Driver for Office365

Posted by Darenji
at Saturday, August 15, 2020
1 comments
Labels: , , ,

Deprecation and migration plan for NetIQ Identity Manager Driver for Office 365


Micro Focus is deprecating the Office 365 driver for NetIQ Identity Manager. This driver has been superseded by the Azure AD driver, which is available at no extra cost to all Office 365 driver customers.

The Office 365 driver was developed at a time when Microsoft did not offer a comprehensive set of APIs to access Office 365. As the Azure platform evolved, Microsoft updated its API set to provide efficient and secure access to the platform. In response, Micro Focus developed the Azure Active Directory Driver: a faster, more scalable, and more secure driver that supports both Azure AD and Office 365.

Micro Focus have continued to support the older Office 365 driver to allow customers sufficient time for migration to the new Azure AD driver. However, Microsoft has announced that they are deprecating some of the underlying technology, which will make the driver non-functional in some scenarios.

As a result, Micro Focus are urging all Office 365 driver customers to migrate to the new Azure AD driver as soon as possible.

[+/-] Read More...
Read more »

 

Subscribe to: Posts (Atom)