Deploying the GCP Connector

This article outlines the necessary steps to deploy the GCP Connector and correctly configure the environment. It provides detailed instructions for setting up a new project in Google Cloud Platform (GCP), configuring service accounts, and ensuring secure authentication and authorization mechanisms. This article is intended for deployment teams and technical administrators involved in setting up or troubleshooting the GCP Connector.

Project Creation in GCP

A new project will be created in Google Cloud Platform (GCP) where the EmpowerID SCIM microservice will be deployed.

Artifacts for Account Store Creation

After deployment, the following artifacts will be available for use in the Account Store creation wizard:

• Service Account Email (SA2)
• .p12 Service Account Key Certificate
• App Engine Host Name: The base URL where the microservice is deployed.
• JWT Target Audience (TA1)

Service Accounts & JWT Target Audiences

This section outlines the service accounts and JWT target audiences essential for deploying the GCP Connector environment. Two service accounts, SA1 and SA2, are utilized for authentication and authorization purposes. Additionally, two JWT target audiences, TA1 and TA2, are used.

Service Accounts

• SA1: The App Engine default service account (or another specifically configured account). This account is attached to the microservice running in the App Engine and used for authenticating with Google APIs. It is an ambient account available only for deployment purposes.
• SA2: This service account is used for OAuth2 authentication from EmpowerID to the microservice. The microservice is deployed behind the Identity-Aware Proxy (IAP), which enforces authentication. This service account must be entered in EmpowerID during the Account Store creation process.

JWT Target Audiences

• TA1: The target audience value to be entered in EmpowerID during Account Store creation. This value is the OAuth 2.0 Client ID of the credentials configured in the APIs & Services of GCP. It follows the format: 636363636363-p97kufa1jh000800m2k6cu01ork7xxxx.apps.googleusercontent.com.
• TA2: The target audience of the verification JWT token attached by the IAP in requests to the microservice. It is verified by the microservice and typically appears as /projects/741662800000/apps/appname. This value is used only during deployment.

Installation Steps

1. Open the Cloud Console

Navigate to Google Cloud Console.

2. Create a New Project

Set up a new project where the microservice will be deployed.

3. Enable Required APIs

Enable the following APIs for the project:

• IAM Service Account Credentials API
• Admin SDK API
• Cloud Resource Manager API
• Identity and Access Management (IAM) API
• Cloud Asset API

4. Deploy the Microservice to App Engine

1. Install the gcloud CLI following the Google Cloud CLI Documentation.

2. Initialize the CLI:

   gcloud init

3. Navigate to the package folder and run:

   gcloud app deploy

4. Deploy it again after enabling the Identity-Aware Proxy and updating appsettings.json with the correct IAP OAuth Client ID for JWT token verification.

5. Enable Domain-Wide Delegation for the App Engine Service Account (SA1)

1. Retrieve the Client ID of the App Engine service account:
   • Go to App Engine → Settings of your project.
   • Note the service account email.
   • Navigate to IAM & Admin → Service Accounts, locate the service account, and copy the Client ID.
2. Open the Google Admin Console.
3. Navigate to Security → Access and Data Control → API Controls → Manage Domain-wide Delegation.
4. Input the Client ID obtained in the previous step.
5. Assign the following scopes:
   • https://www.googleapis.com/auth/admin.directory.user
   • https://www.googleapis.com/auth/admin.directory.group
   • https://www.googleapis.com/auth/admin.directory.group.member
   • https://www.googleapis.com/auth/admin.directory.rolemanagement
   • https://www.googleapis.com/auth/admin.directory.orgunit
   • https://www.googleapis.com/auth/cloud-platform.read-only
   • https://www.googleapis.com/auth/cloud-platform
   • https://www.googleapis.com/auth/admin.reports.audit.readonly

6. Grant Service Account Token Creator Role to SA1

1. Go to IAM & Admin → IAM.
2. Click Grant Access.
3. Enter the service account email (SA1) and select the Service Account Token Creator role.

7. Create an IAP Service Account (SA2) for EID → MS Connectivity

1. Go to IAM & Admin → Service Accounts.
2. Create a new service account.
3. Navigate to the newly created service account page.
4. Go to Keys → Add Key → Create New Key → Select .p12 format.
5. Alternatively, upload an existing public key certificate.

8. Enable the Identity-Aware Proxy

1. Go to IAM & Admin → Identity-Aware Proxy.
2. Configure the OAuth consent screen (select “Only for internal users”).
3. Enable IAP for the microservice app (App Engine app).
4. Grant the IAP-secured Web App User role to SA2 for the microservice app.

9. Retrieve JWT Target Audiences

1. Get TA1 (OAuth 2.0 Client ID):

   • Navigate to APIs & Services → Credentials.
   • Locate the application under OAuth 2.0 Client IDs.
   • Copy the Client ID as TA1.

2. Get TA2 (IAP JWT target audience):

   • Go to IAM & Admin → Identity-Aware Proxy.
   • Locate the App Engine App, click the three dots, and select Get JWT Audience Code.

10. Configure JWT Verification Values in appsettings.json

Modify the appsettings.json file with the following values:

{
  "MicroserviceConfiguration": {
    "DomainWideDelegationUser": "organization_admin_email",
    "IapJwtExpectedAudience": "<TA2 Value>"
  }
}

11. Redeploy the Microservice

Run the following command again:

gcloud app deploy

12. Retrieve the App Engine Public URL

1. Navigate to App Engine → Services.
2. Locate the default service and note the Service URL (e.g., https://yourappname.uc.r.appspot.com/).
3. If needed, grant your account the IAP-secured Web App User role to access the app directly.