Google Drive & G Suite Integration (Automated Account Linking)
It is possible to remove the manual Google account linking requirement through use of a Google service account to automatically present Google Drive (personal Drive or Team Drives).
Foldr maps a predefined LDAP (Active Directory) attribute in conjunction with the Google service account key to authenticate and provide access to the correct cloud storage account. i.e. the Foldr appliance will match the user’s LDAP attribute (email address or UPN) to the user in the Google G-Suite domain.
Activating Automated Linking with Google Drive:
1. Browse to https://console.developers.google.com/apis using your administrative account. Follow the initial steps 1-3 here to create a Google Project and enable the Drive API for the project.
2. Create the Service Account Key
Within the project, select API Manager >> Credentials >> Create Credentials >> Service Account Key
- Select ‘New Service account’ from the drop down menu, leaving the key type as JSON
4. Enter a services account name and account ID and choose ‘Owner‘ as the Role type
5. A private key file (.JSON) will be created and download to your local workstation. Save this file and keep it in a secure location. (This file cannot be downloaded later)
6. Enable DwD (Domain-wide delegation) for the service account
Click Manage service accounts
Click Options >> Edit for the new service account key
Check ‘Enable G Suite Domain-wide Delegation’ and give the product a name for the OAuth consent screen if this hasn’t already been configured at step 1.
7. Create the matching Google service account within Foldr Settings >> General >> Service Accounts
– Select Account Type as Google
– Enter a description and paste the content of the JSON private key into Account Key (JSON) – Typical settings to map users personal Google Drive shown (note user attribute = Email Address)
8. Changing the default background access mode from manual to automated
Within Foldr Settings >> General >> Service Accounts – change the background account access mode to ‘Use Service Account’ and select the service account created at step 7.
9. Allow Google service account (Client ID) permission to use Google APIs (Drive & Profile)
Log in with an administrative account at https://admin.google.com and click Security
Click Advanced settings
Click Manage API client access
Enter the Client Name string (found at console.developers.google.com > Project > API Manager > Credentials > OAuth 2.0 Client IDs
Enter the following API scope (note this is comma-delimited)
Finally, Click Authorize
The client name should then be displayed as shown
10. Create a new global share within Foldr Settings >> Shares for Google Drive using the Google service account.
Note – Share URI (Path) is configured %googledrive%
Note 1 – Service Account configured with the Google service account
Note 2 – ‘Use service account for all access’ toggle is not required with Google Drive shares.
The Google integration for automatic Google Drive provisioning is now complete. When a domain user logs into Foldr, their personal Google Drive share will be presented, providing the corresponding Active Directory account ‘mail’ attribute is configured correctly for the Google G Suite domain.