Guidance needed to provision complex attributes (e.g., externalIds) to Google Workspace via SailPoint ISC connector

Identity Security Cloud (ISC) ISC Discussion and Questions
,
1

Hey Sailors,

I’m encountering the same situation as that described here and I’d like to know if anyone can share how to configure the “Account Schema” to manage those complex attributes.

P.S. I’ve also checked the official documentation here but as no examples are provided, I couldn’t work it out.

Thank you for your help. :folded_hands:

Link1: https://developer.sailpoint.com/discuss/t/google-workspace-provision-externalids/19963

Link2: https://documentation.sailpoint.com/connectors/g_suite/help/integrating_g_suite/complex_provisioning_pol.html

2

Hey peers :waving_hand: ,

Don’t hesitate to ask any question if you need more information.

Thanks :folded_hands:

3

From my understanding, the connector expects externalIds to be a list of strings, where each string is a JSON object.

Navigate to: Admin > Connections > Sources > [Your Google Workspace Source] > Account Schema.

Add New Attribute (or edit externalIds if it exists):

Name: externalIds (Must match the Google API field name exactly).

Type: string

Multi-Valued: Yes

Entitlement: No (unless you specifically want to govern it).

In your “Create” provisioning policy, you must generate the value as a JSON String.

Attribute: externalIds

Value Calculation: You need to construct the JSON string. You can use a Velocity Template or a Rule to build this string dynamically.

Example JSON Format (Single Value): If you are assigning one ID, the output of your transform/script for this attribute should be a single string looking like this:

JSON

{“value”: “1001”, “type”: “organization”}
Example JSON Format (Multiple Values): If the user has multiple external IDs, your transform should return a List of strings.

String 1: {“value”: “1001”, “type”: “organization”}

String 2: {“value”: “5678”, “type”: “account”}

Provisioning Policy Logic (Velocity Example):

#if($identity.employeeNumber)
{
  "value": "$identity.employeeNumber",
  "type": "organization"
}
#end

When the attribute is marked as Multi-Valued in the schema, the SailPoint connector automatically knows to wrap the values you provide into a JSON Array ([…]) when sending the request to Google’s API. If you do not mark it as multi-valued, the connector may try to send it as a single string object or fail to format the API request correctly, leading to the issues described in the forum posts.

I haven’t had the chance to test this as I don’t have a google workspace environment currently.

4

Hey @ts_fpatterson ,

Thank you for your detailed response. I’ll try it out and let you knwo asap.

5

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.