Identity Broker Forum
Welcome to the community forum for Identity Broker.
Browse the knowledge base, ask questions directly to the product group, or leverage the community to get answers. Leave ideas for new features and vote for the features or bug fixes you want most.
Can Identity Broker for Google Apps be made available for Identity Broker v5?
This Broker can manage more attributes than the Google Apps Directory Synchronization and can make use of existing PCNS deployments rather than require Google Apps Password Sync GAPS which needs to be installed on all DCs and is limited to one Google Apps domain.
Cairns Catholic Education will use it and Brisbane Catholic Education would be likely to use it to replace GAPS and GADS with FIM/MIM and IdB.
Google passwords are not being set on creation, subsequent resets in AD are synchronised successfully.
In MIM the export_password attribute is set with the desired password, I was unable to find any information about this attribute or how to configure the Password Script in the Google Connector.
Unsure of when this started to re-occur as most users authenticate via the IDP, however Chromebooks authenticate directly. It appears this issue has occurred before https://voice.unifysolutions.net/communities/6/topics/2816-passwords-are-not-set-on-google-account-creation however the key is configured to be email address.
Identity Broker: v5.2.0 Revision #3
Google Connector: 188.8.131.52
So just confirming, using the Identity Broker version of the Newtonsoft fixes that particular issue? I'll update the connector to use the same version so that it isn't able to override it.
Do you have an update on whether the password change is working?
I am getting an error using the Google User Settings connector. The error occurs when deleting a custom SendAs address which was previously added using the connector.
SendAs Unchanged: <SendAs name="""" address=""email@example.com"" replyTo="""" signature="""" default=""false"" />
SendAs Unchanged: <SendAs name=""Givenname Surname"" address=""firstname.lastname@example.org"" replyTo="""" signature="""" default=""true"" />
SendAs Delete: <SendAs name=""Givenname Surname"" address=""email@example.com"" replyTo="""" signature="""" default=""false"" />
System.ArgumentException: An item with the same key has already been added.
at System.ThrowHelper.ThrowArgumentException(ExceptionResource resource)
at System.Collections.Generic.Dictionary`2.Insert(TKey key, TValue value, Boolean add)
at System.Linq.Enumerable.ToDictionary[TSource,TKey,TElement](IEnumerable`1 source, Func`2 keySelector, Func`2 elementSelector, IEqualityComparer`1 comparer)
at Unify.Product.IdentityBroker.UserSettingsEntityMapper.MapEntity(IEntity originalEntity, IConnectorEntity exportedEntity)
at Unify.Product.IdentityBroker.GoogleUserSettingsConnector.<>c__DisplayClass20_0.<UpdateEntities>b__4(IConnectorEntity entity)
at System.Linq.Buffer`1..ctor(IEnumerable`1 source)
at System.Linq.Enumerable.ToArray[TSource](IEnumerable`1 source)
at Unify.Product.IdentityBroker.GoogleUserSettingsConnector.UpdateEntities(IEnumerable`1 entities, IEnumerable`1 originalEntities, ISaveEntityResults`2 results)
at Unify.Product.IdentityBroker.AuditUpdatingConnectorDecorator.UpdateEntities(IEnumerable`1 entities, IEnumerable`1 originalEntities, ISaveEntityResults`2 results)
at Unify.Product.IdentityBroker.EventNotifierUpdatingConnectorDecorator.UpdateEntities(IEnumerable`1 entities, IEnumerable`1 originalEntities, ISaveEntityResults`2 results)
Now that I'm looking at it, name is probably a bad key for the list of send-as (I don't recall making the decision when originally developing it). Shall I give you a patch that uses the email address instead, try to save you going through that fun?
The signature is currently combined in the same attribute as the SendAs field. Is it possible to separate these attributes?
Signature in UI showing linkage to default SendAs
Signature in UI showing linkage to non-default SendAs
<SendAs name="" address="firstname.lastname@example.org" replyTo="" signature="<div dir="ltr"><div>Regards</div><div>My Name</div><div><br></div><div>My Title2</div><div>My Department2</div><div>My Company2</div><div>p: 0400 000 000</div><div>e: <a href="mailto:email@example.com" target="_blank">firstname.lastname@example.org</a></div></div>" default="false" />, <SendAs name="Boyd Bostock" address="email@example.com" replyTo="" signature="<div dir="ltr">Regards<div>My Name</div><div><br></div><div>My Title</div><div>My Department</div><div>My Company</div><div>p: 0400 000 000</div><div>e: <a href="mailto:firstname.lastname@example.org" target="_blank">email@example.com</a></div><div><br></div></div>" default="true" />
I think it will be problematic as email addresses will change if people transfer between schools. For my purposes I will configure the MIM Rule Extension to preserve the signature if present.
I have found issues with differences in case between MIM and Google is causing unnecessary exports. To overcome this I have ensured all email addresses exports are in lowercase, the exports are successful but a subsequent import from Google returns the addresses in the original case.
I have found an anomaly in Google where one view shows the addresses in lowercase and another in mixed case. I suspect that although the email address case changes successfully it is not synchronised everywhere.
Admin Console View
Google Groups View
- Is there another membership attribute that can be used instead?
- Is there a transformation that can convert to lowercase (multi-valued field)? MIM cannot do this for confirming imports.
- Is it possible/appropriate to add an option to the Connector to import all email addresses as lowercase?
Labels is one of the settings available in the GMail API and results in a large amount of data being retuned. As there is not IAM requirement for Labels settings I would recommend it is removed from the Google User/GMail Settings Connector.
Remove any non-required fields from the schema - that way the call won't be made as each of the fields are done as separate calls.
Import is failing for Google User Settings Connector after exactly 1 hour (log entries attached).
I am getting the error below when adding a group with other
groups as members. I can add the groups to membership manually and the
subsequent import imports the membership with the correct DN.
Image below shows the groups added manually and the one that is failing. The failing group was added manually to confirm it is possible.
There was a difference in how groups were calculated over users. See v184.108.40.206.
I am using the email address in the DN and have a requirement to allow accounts to be renamed. There are no other attributes that are suitable for use in the DN.
If I change the email address attribute it will fail (error attached) as it is being used in the DN. I have attempted change the DN however MIM is processing it as an attribute flow instead of a rename (error and screenshot attached).
User rename split out from user update so that it does only what is required. See v220.127.116.11.
Customer support service by UserEcho