Google Drive & G Suite Integration (Automated Account Linking)

Posted on 8th November 2016

It is possible to remove the manual Google account linking requirement through use of a Google service account to automatically present Google Drive (personal Drive or Team Drives).

Foldr maps a predefined LDAP (Active Directory) attribute in conjunction with the Google service account key to authenticate and provide access to the correct cloud storage account.  i.e. the Foldr appliance will match the user’s LDAP attribute (email address or UPN) to the user in the Google G-Suite domain.

Activating Automated Linking with Google Drive:

1.  Browse to https://console.developers.google.com/apis using your administrative account.  Follow the initial steps 1-3 here to create a Google Project and enable the Drive API for the project.

2.  Create the Service Account Key
Within the project, select API Manager >> Credentials >> Create Credentials >> Service Account Key

 goolge-sa

  1. Select ‘New Service account’ from the drop down menu, leaving the key type as JSON

goolge-sa2

4. Enter a services account name and account ID and choose ‘Owner‘ as the Role type

goolge-sa3

5.  A private key file (.JSON) will be created and download to your local workstation. Save this file and keep it in a secure location.  (This file cannot be downloaded later)

google-sa-pk

 

6. Enable DwD (Domain-wide delegation) for the service account

Click Manage service accounts

goolge-sa4

Click Options >> Edit for the new service account key

goolge-sa5

Check ‘Enable G Suite Domain-wide Delegation’ and give the product a name for the OAuth consent screen if this hasn’t already been configured at step 1.

goolge-sa6

Click Save

7. Create the matching Google service account within Foldr Settings >> General >> Service Accounts

– Select Account Type as Google

– Enter a description and paste the content of the JSON private key into Account Key (JSON) – Typical settings to map users personal Google Drive shown (note user attribute = Email Address)

goolge-sa8

 

8. Changing the default background access mode from manual to automated

Within Foldr Settings >> General >> Service Accounts – change the background account access mode to ‘Use Service Account’ and select the service account created at step 7.

google-link-mode

9. Allow Google service account (Client ID) permission to use Google APIs (Drive & Profile)

 Log in with an administrative account at https://admin.google.com and click Security

 google-admin 

Click Show more

google-admin2

 Click Advanced settings

google-admin3

 Click Manage API client access

google-admin4

 Enter the Client Name string (found at console.developers.google.com > Project > API Manager > Credentials > OAuth 2.0 Client IDs

google-admin5

Enter the following API scope (note this is comma-delimited)

https://www.googleapis.com/auth/drive,profile

Finally, Click Authorize

The client name should then be displayed as shown

google-admin8

10. Create a new global share within Foldr Settings >> Shares for Google Drive using the Google service account.

Note – Share URI (Path) is configured %googledrive%

goolge-sa11

goolge-sa10

Note 1 – Service Account configured with the Google service account

Note 2 – ‘Use service account for all access’ toggle is not required with Google Drive shares.

 

The Google integration for automatic Google Drive provisioning is now complete.  When a domain user logs into Foldr, their personal Google Drive share will be presented, providing the corresponding Active Directory account ‘mail’ attribute is configured correctly for the Google G Suite domain.

Need more help?

Get in touch with our friendly help desk who will be happy to assist you, support@foldr.io