IdP sync

Welcome to our comprehensive guide on configuring Identity Provider (IdP) for users and groups synchronization. This document provides step-by-step instructions and best practices for setting up and managing your synchronization processes effectively.

Google WorkSpace

Before you start creating and configuring an Google Workspace application, ensure that you have the following:

Step 1: Create a service account

  • Navigate to API Credentials page
  • Click CREATE CREDENTIALS at the top and select Service account
  • Fill in the form with the following values and click CREATE
    • Service account name: NetBird
    • Service account ID: netbird
  • Click DONE

service-account-create

Step 2: Create service account keys

  • Navigate to API Credentials page
  • Under Service Accounts click the NetBird to edit the service account

edit-service-account

  • Take note of service account email address, we will use it in next steps
  • Click the Keys tab
  • Click the Add key drop-down menu, then select Create new key
  • Select JSON as the Key type and click Create

When you create a service account key by using the Google Cloud console, most browsers immediately download the new key and save it in a download folder on your computer. Read how to manage and secure your service keys here

Step 3: Grant a user management admin role to a service account

  • Navigate to Admin Console page
  • Select Account on the left menu and then click Admin Roles
  • Click Create new role
  • Fill in the form with the following values and click CREATE
    • name: User and Group Management ReadOnly
    • description: User and Group Management ReadOnly
  • Click CONTINUE

new-admin-role

  • Scroll down to Admin API privileges and add the following privileges
    • Users: Read
    • Groups: Read

privileges-review

  • Verify preview of assigned Admin API privileges to ensure that everything is properly configured, and then click CREATE ROLE

  • Click Assign service accounts, add service account email address and then click ADD

assign-service-account

  • Click ASSIGN ROLE to assign service account to User and Group Management ReadOnly admin role

service-account-privileges

Azure AD

Before you start creating and configuring an Azure AD application, ensure that you have the following:

  • User account with admin permissions: You must have an Azure AD user account with the appropriate permissions to create and manage Azure AD applications. If you don't have the required permissions, ask your Azure AD administrator to grant them to you.

Step 1. Create and configure Azure AD application

  • Navigate to Azure Active Directory
  • Click App Registrations in the left menu then click on the + New registration button to create a new application.
  • Fill in the form with the following values and click Register
    • Name: NetBird

azure-new-application

Step 2. Add API permissions

  • Click API permissions on the left menu
  • Click Add a permission
  • Click Microsoft Graph and then click Application permissions tab
  • In Select permissions select User.Read.All and Group.Read.All and click Add permissions

azure-openid-permissions

  • Click Grant admin consent for Default Directory and click Yes

azure-grant-admin-consent

Step 3. Generate client secret

  • Click Certificates & secrets on left menu
  • Click New client secret
  • Fill in the form with the following values and click Add
  • Description: NetBird
  • Copy Value and save it as it can be viewed only once after creation.

azure-client-secret

  • Navigate to Owner applications.
  • Select NetBird application in overview page, take note of Application (client) ID and Directory (tenant) ID.