Obtaining organization unit from Google Auth

My users in Google App are already assigned to organization units.

Ideally I would like to automatically map this organizational unit to a set of roles. I’m using the authorization extension and it has some automapping feature but that seems fairly limited, so some rules is probably more flexible maybe. It is however not clear how the automapping feature is working and what incoming field it is using (short of diving into the code to figure that out)

I’m not sure if this information is actually exchanged during google auth, I do not seem to see any extra field when I look at the logs for Success Login events.

1 Like

As you mentioned going for a custom rule would give you ultimate flexibility and control on how to achieve the mapping, however, the first thing to have any sort of mapping is to have the source data available.

I believe the organization unit will not be returned by default from Google, but you can confirm this by performing a login with an applicable user and then on the dashboard inspect it’s Raw JSON and look for the data in question.

If the data is not available which is likely according to a quick google search, you may need to check the Google docs on how you can obtain this information. Again from a quick search there’s this somewhat old (so things may have changed) SO answer that points to the need to use a service account:

There is no API call for a user to determine their own group membership or org unit. (…) You might consider creating a delegated admin account that has only rights to read groups and org units via the API (…)

If the above still proves to be true then you may want to start with Perform G Suite Domain-Wide Delegation of Authority which gives instructions on how to configure a service account to access this information. You could then either do the call do the Directory API directly from rules or though your own broker API. Having obtained the source data, you could apply your own mappings and call the authorization extension API to configure the user accordingly.