You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+27-3Lines changed: 27 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -72,11 +72,32 @@ as locally running the ssosync tool.
72
72
73
73
### Google
74
74
75
-
First, you have to setup your API. In the project you want to use go to the [Console](https://console.developers.google.com/apis) and select *API & Services* > *Enable APIs and Services*. Search for *Admin SDK* and *Enable* the API.
75
+
First, you have to setup your API. In the project you want to use go to the [Console](https://console.developers.google.com/apis) and select
76
+
*API & Services* > *Enable APIs and Services*. Search for *Admin SDK* and *Enable* the API.
76
77
77
-
You have to perform this [tutorial](https://developers.google.com/admin-sdk/directory/v1/guides/delegation) to create a service account that you use to sync your users. Save the `JSON file` you create during the process and rename it to `credentials.json`.
78
+
You have to perform this [tutorial](https://developers.google.com/admin-sdk/directory/v1/guides/delegation) to create a
79
+
service account that you use to sync your users. This is the service account that is used to impersonate a user
80
+
(via `--google-admin`). You have two possibilities to use this service account. Create a service account key credential,
> you can also use the `--google-credentials` parameter to explicitly specify the file with the service credentials. Please, keep this file safe, or store it in the AWS Secrets Manager
80
101
81
102
In the domain-wide delegation for the Admin API, you have to specify the following scopes for the user.
82
103
@@ -89,6 +110,9 @@ In the Search box type `Admin` and select the `Admin SDK` option. Click the `Ena
89
110
90
111
You will have to specify the email address of an admin via `--google-admin` to assume this users role in the Directory.
91
112
113
+
> When running this tool as AWS Lambda, the parameter `--google-credentials` is expected to contain the content of the
114
+
> `JSON file`.
115
+
92
116
### AWS
93
117
94
118
Go to the AWS Single Sign-On console in the region you have set up AWS SSO and select
rootCmd.Flags().StringVarP(&cfg.SCIMEndpoint, "endpoint", "e", "", "AWS SSO SCIM API Endpoint")
242
249
rootCmd.Flags().StringVarP(&cfg.GoogleCredentials, "google-credentials", "c", config.DefaultGoogleCredentials, "path to Google Workspace credentials file")
243
250
rootCmd.Flags().StringVarP(&cfg.GoogleAdmin, "google-admin", "u", "", "Google Workspace admin user email")
251
+
rootCmd.Flags().StringVarP(&cfg.GoogleSAEmail, "google-service-account-email", "W", "", "Google Workload Identity Federation SA email. If set, google-credentials must be associated with a Workload Identity Federation json file")
244
252
rootCmd.Flags().StringSliceVar(&cfg.IgnoreUsers, "ignore-users", []string{}, "ignores these Google Workspace users")
245
253
rootCmd.Flags().StringSliceVar(&cfg.IgnoreGroups, "ignore-groups", []string{}, "ignores these Google Workspace groups")
246
254
rootCmd.Flags().StringSliceVar(&cfg.IncludeGroups, "include-groups", []string{}, "include only these Google Workspace groups, NOTE: only works when --sync-method 'users_groups'")
0 commit comments