Provide ability to pull multiple domain groups from Google Workspace (formerly gsuite) #5521
Comments
stevenGravy
changed the title
|
The google API allows for retrieving the domains in google workspace https://developers.google.com/admin-sdk/directory/reference/rest/v1/domains/list. This would require an additional permission given to a service account. |
pschisa
added
c-gj
|
@atburke Take a look at how Google Workspace support was originally implemented below. Similar to how at the moment your service account has to have the below OAuth scope. You'll need to add one of the following (see link that @stevenGravy provided) to your service account and connector and check for these. With that done, then you simply have to update |
|
The current implementation of #9697 actually doesn't filter by domain, which is actually a behavior change. 😬 No scopes other than When I asked @klizhentas about it, he said he didn't remember why the claims were filtered by domain, so maybe we can just... stop doing that, instead? |
|
@espadolini Are you referring to this line, if we remove it we won't filter by domain? https://github.com/gravitational/teleport/blob/master/lib/auth/oidc.go#L706 |
|
Yes, that's correct; it is a breaking change, however. |
Feature Request
Provide the ability to pull all or specific domain user groups within a Google Workspace. Currently only the user's specific @Domain groups will be retrieved.
Ex:
[email protected]in groups:[email protected], [email protected], [email protected], [email protected]Only
[email protected], and[email protected]will be retrieved as claims.If the user was
[email protected]then only[email protected]will be retrieved as a claim.Motivation
Users may be assigned to multiple groups that use different sub-domains then the user. This allows for using all the group assignments for role to claim mapping.
Who's it for?
Pro, Enterprise, Cloud
The text was updated successfully, but these errors were encountered: