Map user identities in Cloud Search

To respect the access permissions of items from a third-party repository, Google Cloud Search needs to map identities between the repository and Google Accounts. For example, in a database, a user might have the username jensmith@company.com. That username needs to map to a Google Account, such as jsmith@solarmora.com.

To manage this mapping, create an identity source in Cloud Search. The identity source lets a developer map user accounts from the third-party repository to Google Accounts. Learn how a developer can sync different identity systems.

Before you begin

1. Create an identity source

To map third-party usernames to Google Accounts, create an identity source.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Apps and thenG Suite and thenCloud Search and thenSearch Settings.

    To see Apps, you might have to click More controls at the bottom.

    Requires having the Services Cloud Search administrator privilege.

  3. Click the Identity sources card.

    A list of your organization's identity sources displays.

  4. In the top left, click Add Add.
  5. Enter a name in the Identity Source Name text line.
  6. Click Add Service Account.
  7. Enter the email address of a service account that can access user and group data through the Admin SDK Users API and Cloud Identity API.

    Use the email address that was generated for the service account ID when it was created.

  8. Set the service account’s level of access to the Admin SDK Users API:
    • Read/Write—Grants full access permissions to the API.
    • Existing—Maintains the permissions already granted to the API.
      If the service account was previously granted read/write permissions by another identity source, those continue. If the service account hasn’t already been granted access, it continues to not have access.

      Note: If the identity source that granted read/write access to the service account gets deleted, the service account loses access. If this identity source needs to use this service account, set the option to Read/Write.

  9. Set the service account’s level of access to the Cloud Identity API:
    • Read/Write—Grants full access permissions to the API.
    • Read—Grants Read permissions to the API.
    • No access—Prevents access to the API.
  10. Click Add Service Account.
  11. Add another service account, or if you're done adding service accounts, click Add Identity Source.

    A message displays when the identity source was successfully added and shows the auto-generated identity source ID. Copy this ID and give it to your identity connector developer.

  12. Click OK.

After you add the identity source, it appears in the list of identity sources. Your developer needs the identity source ID for Google APIs to access the user and group data.

Tip: To copy the identity source ID to your clipboard, click Copy Copy.

2. Import third-party accounts into G Suite

When you create an identity source, Cloud Search adds a custom attribute to all your Google user accounts. This custom attribute is where you store the third-party account ID that maps to the Google Account.

To see this custom attribute in the Admin console:

  1. Go to Users.
  2. In the top right, click Manage custom attributes User attributes.

Important: Don't modify this custom attribute. If you change its name or any of its fields, Cloud Search won't work properly.

To import the third-party usernames into the custom attribute field, use one of these methods:

Import to all accounts at once using an identity connector

Use Google Cloud Directory Sync to synchronize user and group data.
Or, work with a developer to build an identity connector. Learn how to create an identity connector.

Import to all accounts at once using the Cloud Identity API

Use the Cloud Identity API to import the third-party user accounts into the custom attribute.

Import to individual accounts using the Google Admin console

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Users.
  3. On each user’s account page, under Manage user attributes, click Edit.
  4. in the custom attribute field, add the third-party username that maps to the G Suite user account.
  5. Click Update User.

3. Find your organization's customer ID

To set up an identity connector, your developer needs the customer ID of your Google Account to include in the connector’s properties file.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Security, and then the SSO settings:

    You must be signed in as a super administrator for this task.

    Click Set up single sign-on (SSO) for SAML applications.

    Or, if you don’t have that option:

    Click Set up single sign-on (SSO).

  3. Next to SSO URL, find the idpid value at the end of the URL. The value after the C is your customer ID.

    For example, in the following URL, the customer ID is 0123tvz4:
    https://accounts.google.com/o/saml2/idp?idpid=C0123tvz4

Next Step

Give the identity source ID and your customer ID to the developer who can sync different identity systems.

Edit or delete an identity source

Edit an identity source

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. Go to Apps and then G Suite and then Cloud Search and then Source Settings.
  3. Click the Identity sources card.
    A list of your organization’s identity sources displays.
  4. Point to the identity source you want to update and click Edit Edit.
  5. In the identity source window, select the item you want to change:
    • To update an existing service account, point to the service account and click Edit Edit.
      You can change the service account name and access permissions.
    • To add a new service account, click Add Service Account.
  6. Click Edit Identity Source.

Delete an identity source

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. Go to Apps and then G Suite and then Cloud Search and then Source Settings.
  3. Click the Identity sources card.
    A list of your organization’s identity sources displays.
  4. Point to the identity source you want to remove and click Delete Delete.
  5. In the warning window, click Delete.

Important: If you delete an identity source, Cloud Search also deletes all of its associated data. This includes all of its custom user data and groups.