In Google Apps, there is always a base/primary organization. But Google Apps can have subdomains and suborganizations both (or combination of those).
We want to be able to identify the currently logged-in user as being part of the overall organization, whether it be the primary org/domain or some subdomain or suborg. But when you get user info or license info, it returns the home domain of the currently logged in user as the ID for their organization. No ID is consistent across all subdomains or suborgs.
I've also tried listing all orgs using the organization apis, but that doesn't seem to work when trying to get the org info of the root org: https://developers.google.com/admin-sdk/directory/v1/guides/manage-org-units
Is there a way, given a particular Google Apps user, to determine what the primary organization is?
The only alternative we have is to treat every domain/subdomain in the Google Apps org as it's own independent org. This is less than ideal because now a Google Apps admin who manages all of their sub-orgs/subdomains in one place in Google will now have to manage a separate organization in our app for each domain in their overall org. This uses up extra resources in our system for creating these additional orgs, but more importantly creates a very confusing organization/user management model.
When you look at the Users resource for the two users, compare the customerId attribute. If they match, the two users are in the same Google Apps account. If they don't they're not.
Also, don't assume two logged in users are in the same Apps account. One could be an Apps account and one could be a consumer account even though they have the same SMTP domain.
Related
I asked this question on the github community support forum, but I'll ask this here too since no reply there...
I am trying to setup a Github App to give some scripts limited Admin rights to some repos in an Organisation. The Organisation is (I believe) under an Enterprise account - we are using this currently instead of having an Enterprise server. I have created the App, transferred it to the Organisation, and one of the Organisation Admins (which I an not) has set me as the manager. So far so good. However, although I can see the App in the Organisation Settings, there is no “Install App” button. Also trying to use it in scripting gives 401 (A JSON web token could not be decoded) errors trying to get hold of a “PAT” for the app - even though the Admin has installed it into the app.
There is obviously something wrong but I’m at a loss. Does anybody know of some extra logs that can be looked at or have a suggestion on how to approach this. We’ve tried deleting the app and retrying - no different. I should say this is the third app I’ve created for transferring into the organisation this way - so far it has just worked.
We raised a support ticket on this so got a formal answer. I thought it might be useful to replicate the key part of the answer here. Essentially the issue is the fact this App has Admin rights. I am an Administrator on some of the repos, and am "App Manager" for this App, but I am not an Owner of the Organisation.
I quote:
"""GitHub App permission requests [control] access to a number of organization REST API endpoints... As these endpoints are outside the individual repository scope, only the organization owner can approve requests to add or change them. If this wasn't the case, App Managers who aren't organization owners would be able to grant an application the ability to view organization members and teams - which is private organization information that can otherwise only be granted by organization owners via inviting new organization members."""
Basically that is it. The original idea was to allow a central place to set some things that only an Administrator could set in a repo - c.f. branch rules. Seems that this can't be done as is with an App - the system just isn't flexible enough.
The alternative, which I know works, is to use the PAT of a user with Admin rights. That just feels less secure.
I'm using GSpread to download data from Google sheets and store them in a Postgres DB for different organisations.
Unfortunately one organisation has activated G Suite's strict sharing setting which makes it impossible for users to share documents outside their organisation.
This affects my ability to share Google sheets in this organisation with service accounts which are required for GSpread.
Note: I created the service account within the respective organisation and also already delegated domain-wide authority to the service account.
Any idea on how to share the Google sheet with the account?
I'm at the early days of looking into IdentityServer v3 and IdentityManager, as I'm certain those guys are more clued up than I, but I cannot see how to configure the IdentityManager.
If we're deploying IdentityManager to a client, all the client want to do is "standard admin type stuff", such as
create users
unlock accounts (e.g. after 3 failed login attempts)
suspend accounts (not paid your bill, tut tut...)
delete users
..rather than amend claims, roles and suchlike (presumably these would be hidden from the Administrators).
What am I missing?
Or, is the IdentityManager supposed to be used by the implementation team installing the thing, and then the business administrators who deal with the topics listed above actually don't use IdentityManager at all, but a separate admin site we have to write? As far as I can make out all the pages, htm letc is within the nuget package so cannot be amended by me.
If it makes any difference, we're trying to create a public facing website that can be logged into, but the users are only created by the company, whose admin site to create & administer the users is IP restricted / not public facing.
Identity Manager is aimed at developers and internal administrators for testing and initial configuration purposes, as opposed to end users.
Check out https://vimeo.com/125426951 by the repo's author. I think it's explicitly stated at around the 1 minute mark. It's mentioned on the Github issue tracker quite frequently too.
Also, it's not that extensible yet, so you won't be able to brand it or remove sections (such as your requirement of no claims).
I've created an iOS Developer individual account because I want to upload an application that I've got developed from another developer. I want to allow the other developer to upload the application to my profile.
Can I manage users and add him as an admin to my iTune Connect? Is this facility available only for company accounts?
I saw this which says "You are the only one allowed access to Program resources." under individual registration.
http://developer.apple.com/enroll/selectEnrollmentType.php?t=nm
Only company accounts can allow multiple users.
Edited: This is based on experience. If you register as a company you can add additional accounts (via the Member Center). If you sign up as a user, you can only have a single account for logging into iTunes Connect.
This is what it means by "You can add additional developers to your team who can access Program resources." under the Company column on that select enrollment type page.
You can also add team members in an individual license. I am enrolled in the iOS and Mac OS program and have added two of my friends to work together with me on an app. The UI shows that this is the way it should be (in the upper right corner is written "Florian Pilz, Florian Pilz", whereby the first name is the name of the team agent [me] and the second name is the name of the user currently logged in [me in my case, another in the case of my friends]).
So there are definitely many tutorials out there regarding how to integrate various individual social network authentication/registration into existing user accounts. But the scenario I can't seem to find out much information about is if a user signs into your account with different social network credentials. For example:
Scenario #1
User registers on site using site's authentication.
User then signs in/registers on site using Facebook Connect.
User then signs in/registers on site using Twitter.
How do I integrate all of these into one account?
Obviously once a user is registered, they can add other social network associations in the account settings pages. But I am more concerned if they register via the other social network not remembering they are already setup.
My general thoughts are trying to figure out a way to use the "username" or email to try and guess and present the user a way to combine accounts right there.
Anyone have any thoughts?
following up -
if your users can't remember that they've signed up previously, well, best of luck to them in general ;)
much as you described, i'm planning on giving users the option to link additional accounts once they have signed in by one means or another.
but as far as cross-checking, there's only so much you can do. many social network APIs do indeed provide email addresses (once you've busted in through OAuth) but these may be accessible only if a user has elected to make his/her address public, which is not guaranteed.
also not guaranteed is that the user used the SAME email address for each social network account, so even if you manage to retrieve an address it may or not be of any use to you.
finally, if you find matching email addresses via such means, it might be advisable to prompt the user to link accounts rather than assume he/she wants this done automatically. some people like to maintain multiple personalities. i.e. "it looks like you are also signed up with twitter - do you want to link your accounts? it will make your life seem worth living."
you might consider offering incentives to link user accounts or to provide an email address (up to you of course to figure out what these might be, based on the functionality of your website).
solution i am working on, database-side, is to maintain multiple accounts and then if link information is discovered by various means, said link is indicated in a lookup table.
an alternative is once you find a link, attempt to combine all relevant entries for the multiple accounts into one account entity - all i can say about this latter approach is that i would do so with caution as there could be a formidable level of complexity depending on the user's activity level and the complexity of your database schema.
in my (mental/actual) namespace a user who registers the old-fashioned way has a 'standard' account and one who uses a social network has an 'alias' account. then the goal becomes to define where the alias is supposed to point, i.e. create the lookup such that a subsequent login via either means retrieves the relevant information for both accounts (with a preference for displaying personal data for the 'standard' account).
btw i figured out how to make twitter OAuth behave since my last post - you can look at my other answers for details if you're interested.
JB
hi matt,
i'm working on the same problem right
now.
assuming the user starts with regular
site account (which is not
necessarily safe to assume if he sees
all the pretty "connect with XXX
network" buttons!!!), you can use
either OAuth or the javascript APIs
(facebookConnect or #anywhere -
haven't fully figured out the latter
yet and i'm not sure I recommend it as
I don't think it provides as rich an
API as do the backend libraries) to
login to the other sites.
the APIs should return certain
information after a successful
login/redirect from the social network
- such as the user ID and an ACCESS TOKEN which you can then store in your
database in some capacity associating
your 'actual' application user with
the ID of the social network.
when the user returns to the site, you
can then
1 verify cookies set by the social
network services (various schemes
typically verifying a signature, based
on sha1 or md5 hash of your
application data - by which i mean the
data you get when you register your
app with twitter/facebook, typically a
consumer key, application ID, etc. -
with the received cookies) so you know
the user has logged in with the social
network
2 find your database entry association
as described above
3 login your user manually based on
the assumption that facebook/twitter
connection is secure.
caveat: this is only as secure as your
implementation (or as secure as
facebook/twitter's implementations, if
you prefer...)
although twitter's OAuth does not
currently seem to work quite right,
their general description of the
process is pretty informative:
http://dev.twitter.com/pages/auth
good luck.
J
I have been contemplating adding FB auth to our app, but we know that our returning users might click it and complete checkout for a new item, and then be surprised to not see any of their existing orders. To solve this, when a user clicks the 'Login with Facebook' item, we are using that click to fire a dropdown menu with two options:
[ Login with Facebook ]
[ Create new account ]
[ I have an account ]
If the user clicks 'I have an account' we send them to FB auth and return email from FB to our app. We compare that email to our existing users. If we match, we add the FB creds to the user. If no match, we throw an alert:
The email you have with FB does not match any of our accounts. To log in to your existing account, login with your email below, or update the email in your Facebook account
This allows the user to create a whole new account, if they want to keep them separate, without needing a new email service. While this is an edge case, it is a feature.