Google driver will not start and failing with a 401 Unauthorized error then shutting down

  • 7017522
  • 21-Apr-2016
  • 21-Apr-2016

Environment

NetIQ Identity Manager 4.5
NetIQ Identity Manager Driver - Google Apps

Situation

Tried to start the Google driver but the driver would not start.  It is failing with a 401 Unauthorized error and shutting down.
The Google ID used by the driver has full rights in Google.  Tested the ID/Password by successfully logging into both the Admin and Developer Consoles.  Compared the email address for the service account, reset the application password, and regenerated a new P12 file. Same error.
This appears to be an issue within the Google API authorization process.

Resolution

A good approach would be to look at the documentation for creating and configuring the OAuth credential and permissions. Work backwards from the authorization to, finally, the developer console project itself, testing/recreating items until the issue is resolved. 

 

1) Ensure that the IDM server is in time sync. OAuth, like SAML, uses timed 'tickets' and it will fail in cases where the server time is too far off of the real-world time. 

 

2) Starting with the least invasive checks, the "Delegate Domain-wide Administrative rights to Google Service Account" through the most invasive, recreating the Developer Console project and service account, verify settings and retest the driver after changes are made.
For example.  To test to see if the credential was initially created and authorized, attempt to resolve it by the following steps, retest after each step:
A)  Delete and set the API client access scopes in the admin dashboard, Security control panel, Advanced Settings, "Manage Client Access"
B)  Create a new service account credential at console.developers.google.com<http://console.developers.google.com> for your domain. You can do this on the same project that you used to create the existing credential. Then authorize it as per step 1.
C)  Create a new project, then a credential, then authorize it.

 

Note: You will get a permissions error in another common case, which shouldn't be considered an 'error' that needs fixing. If you attempt to act on an object which is not in the Google domain(s) controlled by the service account, it will generate a permissions error. The most common case for this is a malformed email address on a group or user object. For example, if your domain is "testdomain.org" and you try to process an event for a user who's email address is (incorrectly) set (in eDirectory) to mytestuser@testingdomain.org, the API stack will, correctly, inform you that you do not have permission to act on that user as they are not in your authorized domains. This only happens when the domain name part of the email address is incorrect.  

Cause

Google does not provide detailed error messages when their authentication/authorization process fails. Therefore, being able to authenticate with the username and password for the admin account does not, provide a good test of functionality. The permissions used come from an OAuth relationship where the service account assumes permissions from the admin account.

The problem may also happen if the account is not present.  For example, if it gets deleted in between driver startups from the Security Settings in the Admin Console (not the Developers Console).

In that case, restored the account, use the DirectoryScopes.txt to restore the API Access Rights.  For those steps, please refer to the PDF that came with the 4.1.0.0 patch.  The instructions will became clearer.