Google Workspace Provision Accounts
About Google Workspace Provisioning Accounts
Through an application programming interface (API), Campus Cafe can request that accounts (usernames and passwords) be created in Google Workspace when created in Campus Cafe.
The API supports creating users associated with as many as four Campus Cafe permission groups. The common use case is to create accounts for applicants, students, alumni and parents based on their Campus Cafe permission groups, however, any four groups could be configured for use.
Within the four groups, the API supports directing them to different Google organizations, including a specific organization for users under the age 18. That group may restrict those users from certain Google services for compliance with rules regarding adolescents.Â
Each time a Campus Cafe user has a permission group assigned or changed, the API will attempt to create an account in Google Workspace provided the user is being associated with an eligible permission group and does not already exist in Google Workspace. The API checks for the existence of the user by matching the user's Campus Cafe ID number to the Google Workspace Employee ID.
Prerequisites
Configure Google Workspace
Create Service Account User
This account will be used to authorize the connection between Campus Cafe and Google Workspace. Campus Cafe recommends creating a service user not tied to a specific individual. Refer to Google's documentation for creating an account.
Create Project
Navigate to https://console.cloud.google.com/home/dashboard
Click Create Project
Enter a Project name (e.g. CampusCafe), select the organization in which to apply the connection and a location in which to apply the connection.
Click Create
Create service account for project
Go to Google Cloud Platform
From Menu go to IAM & Admin>Service Accounts
Select Campus Café Project (if not already displaying)
Click ‘Create Service Account’
Set name to CampusCafe
Save, Done
Edit service account just created
Show Domain-Wide Delegation
Check ‘Enable G Suite Domain-wide Delegation’
Save
Create key for service account
Actions>Create key
Select Key type of JSON
Save key to safe place (You will need values from this key when configuring Campus Cafe)
Activate API for use project
Go to Google Cloud Platform
Menu>API & Services>Dashboard
Click on link ‘+ENABLE APIS AND SERVICES’
Find Admin SDK under category G Suite
Click panel and then click enable button
Authorize service account to use API
Copy Client ID from service account (click View Client ID link)
Go to https://admin.google.com
Menu>Security>API controls
Click ‘MANAGE DOMAIN WIDE DELEGATION’
Add new
Paste Client ID from Service account
Set Scopes to: https://www.googleapis.com/auth/admin.directory.user
Save
Configure Campus Cafe
Set Username Format
Campus Cafe will create a username for applicants following a naming convention specified.
Navigate to Admin > Custom Control
Locate ProgramID SYUSUNAMEÂ
Next to SYUSUNAME Sequence 1, Parameter 1 click the pencil
In Parameter 1 enter a value to determine the username naming convention. If a username already exists, the system will following the pattern and append a 01, 02, 03, etc.
[empty/blank] = username will be first character of first name + last name
L = Username will be last name + first character of first name
IÂ = Username will be Campus Cafe ID number
LUFÂ = Username will be last name underscore first name
FULÂ = Username will be first name underscore last name
FIMILÂ = Username will be first initial + middle initial + last name
FDL = Username will be first name period last name
FLÂ = Username will be first name
NLÂ = Username will be first character of nickname + last name
NDLÂ = Username will be nickname period last name
Click Save
Set Password Format
Campus Cafe will assign a default password to the user, which will be passed to Google. Once the Google account is created, the user should change the password in Google, not Campus Cafe.
Navigate to Admin > Custom Control
Locate ProgramID SYUSPASS
Next to SYUSPASS Sequence 1, Parameter 7, click the pencil
Set Parameter 7 to Y to activate Parameters 8 and 9
In Parameter 8 enter a value to determine the default password
[empty/blank] = password set to person's ID number, or
S = password set to person's last four digits of their Social Security number + date of birth (Date of Birth format is CCYYMMDD)
To prepend the password with a fixed set of characters/numbers/symbols, enter that string in Parameter Value 9. This is useful if your SSO requires certain password complexity rules and you wish to ensure each password meets those rules. For example, if "Pie" is entered in Parameter Value 9 and Parameter Value 8 is set to S the user's password would be Pie123420200510 where Pie is the prefix, 1234 is the user's last four digits of their SSN and 20200510 represents the person's birthday.
In Parameter Value 6 enter Y to force the individual to log in using single sign on
Click Save
Domains
The Campus Cafe API supports single and multiple domains.
Set default domainÂ
This option is for institutions that utilize only one domain. The domain will automatically append to a username when the username is authenticated through SSO. It will not be appended to the actual username itself.
Navigate to Admin > Web App
Locate Parameter LOGIN_UPN_DOMAIN
In the Value box enter @ and then the domain name (for example @myschool.edu)
Set domain manually
When created manually, a domain can be included in the username itself. This always takes precedence over any automated rules.
Navigate to Admin > Permissions
Click Lookup Person
Look up the individual to assign a username
In the username box enter the username including the domain
Click Save
The domain field can also be updated manually.Â
Unique usernames
If you have more than one domain and want to keep usernames unique across all domains, then keep domain in the domain field and out of the username field. The username field cannot have duplicate values.
If you want domain to be part of the username field, the following option will append a domain to username at time username is created by the system.
SYUSSTMAIL in  1-4 enter a Y if you want the domain (value in SYUSSTMAIL-1-4 ) to be appended to the username. Enter N if using multiple domains or you do not wish the domain to be appended.Â
System managed domains
This option is for institutions that have multiple domains. Using the 4 org unit maps (GOOGLE_ORG_UNIT_ALUM, GOOGLE_ORG_UNIT_PARENT, GOOGLE_ORG_UNIT_PROSPECT, GOOGLE_ORG_UNIT_STUDENT) in Web App Config you can supply a default domain for each mapping. The default domain field will be updated in Campus Cafe automatically as a user's permission group changes. A change to the domain in this case will also change the primary email in google. Mapped domains will only be changed if the existing domain is a valid mapped domain.
Campus Cafe Permission Group - Google Org Unit mappings
There are 4 mappings (GOOGLE_ORG_UNIT_ALUM, GOOGLE_ORG_UNIT_PARENT, GOOGLE_ORG_UNIT_PROSPECT, GOOGLE_ORG_UNIT_STUDENT ) defined by the Connection Web App Configurations. The mappings allow you to specify which Campus Cafe groups map to Google org units. When a user's group permission in Campus Cafe is changed to one of these mapped values, it will cause Campus Cafe to check the user account in Google to see that it exists and has the mapped org unit. If the account does not exist, it is created in Google. If it exists but the org unit does not match the mapped org unit, then the org unit in Google is changed.
Mapping Tips
There are options for 4 mappings available in Web App Config but you do not need to use them all. Only complete the mappings you need and leave the rest empty.
Org units will only be changed for a Google user's account if it's existing org unit is an org unit defined in one of the other mappings. This allows you to change a user's org unit to a non-mapped org unit - knowing the system will not undo your change.
Connection Web App Configuration
Navigate to admin > Web App
In the Search box enter Google
Configure the below parametersÂ
Parameter | Value |
GOOGLE_API_EMAIL | The email address that will receive notification of errors |
GOOGLE_API_SET_RECOVERY_PHONE | A value of Y will set the recoveryPhone for the google account to be the mobile phone number in Campus Cafe. This is only done when the integration is creating a new account in google. |
GOOGLE_CUSTOMER_ID | The Google Customer ID from the Google Admin Profile |
GOOGLE_ORG_UNIT_ALUM | The path to the Google organization to which alumni age 18+ will belong followed by "||" followed by the path to the Google organization to which alumni under age 18 will belong followed by "||" followed by the Campus Cafe permission group followed by "||" followed by the optional domain. For example, say alumni belong to Campus Cafe permission group "ALUM" with those 18+ going into the Google organization "Alumni/alumadult" and those under 18 going into the Google organization "Alumni/alumchild" and your alumni domain alumni.ismyschool.edu |
GOOGLE_ORG_UNIT_PARENT | The path to the Google organization to which parents age 18+ will belong followed by "||" followed by the path to the Google organization to which parents under age 18 will belong followed by "||" followed by the Campus Cafe permission group followed by "||" followed by the optional domain. |
GOOGLE_ORG_UNIT_PROSPECT | The path to the Google organization to which prospects age 18+ will belong followed by "||" followed by the path to the Google organization to which prospects under age 18 will belong followed by "||" followed by the Campus Cafe permission group followed by "||" followed by the optional domain. |
GOOGLE_ORG_UNIT_STUDENT | The path to the Google organization to which students age 18+ will belong followed by "||" followed by the path to the Google organization to which students under age 18 will belong followed by "||" followed by the Campus Cafe permission group followed by "||" followed by the optional domain. |
GOOGLE_SERVICE_ACCT_CLIENT_EMAIL | Service account client email from the key file you saved when configuring Google Workspace. |
GOOGLE_SERVICE_ACCT_IMPERSONATE_USER | This is the Google account (full email address of user) the connection will impersonate when provisioning accounts. The account must have access in Google to create Google user accounts and assign them to organizations. Permissions required are: Groups Admin, User Management Admin, Services Admin, and Groups Editor |
GOOGLE_SERVICE_ACCT_PRIVATE_KEY | The Google Private key from the key file you saved when configuring Google Workspace . Must include -----BEGIN PRIVATE KEY----- at the start and -----END PRIVATE KEY-----\n at the end |
Configure automated email to notify student of their username and password upon successful provisioning
Custom Control WEBCRDEML (Admin Menu -> Custom Control)
WEBCRDEML Sequence 1, Parameter 1 controls whether or not the system will send an automated, mergeable email to the student to notify them of their username, password (created in SYUSPASS 1:7-9) and the login URL for the SSO login. Â Setting WEBCRDEML 1:1 to Y, in conjunction with Web App value SSO_PROVISIONING_EMAIL_ADDRESS (see below) allows the email to go out.Â
WEBCRDEML 1:2 defines a support email contact that can be merged into the body of the notification email for login questions.
 Web App SSO_PROVISIONING_EMAIL_ADDRESS (Admin Menu -> Web App)
SSO_PROVISIONING_EMAIL_ADDRESS is the email address that will send out the automated email. This value must be set for the email to send. The email will not send, even if WEBCRDEML 1:1 = Y.
Adjustable Text SSO_PROVISIONING_EMAIL_BODY (Admin Menu -> Adjustable Text)
SSO_PROVISIONING_EMAIL_BODY is an HTML ready value that defines the body of the email that can be sent out. It accepts mergefields to the body of the email:
[[LOGIN_URL]] - this is hard-coded as https://***-web.scansoftware.com/cafeweb/loginsso (where *** is the 3-character code for your institution's Campus Cafe url)
[[USERNAME]] - this is taken from the database value for the user
[[PASSWORD]] - this defined by SYUSPASS 1:8 and 1:9
 [[CONTACT_EMAIL]] - this is defined by Custom Control WEBCRDEML 1:2