Synchronizing User Accounts with Google Apps

In addition to adding users manually as described in chapter User Management, MailStore Server can synchronize its internal user database with the Google Apps account of your organization.

During synchronization, user information, such as user names and email addresses, is copied from the Google Apps account into MailStore Server's user database. That way, users can use their Google Apps account credentials to also log on to MailStore Server and emails can be assigned to their corresponding user archives automatically, for example. No changes are made to the Google Apps account itself by MailStore Server. The scope of the synchronization can be limited through filters.


Prepare the Google Apps account

In order to synchronize accounts information from Google Apps, MailStore Server requires a service account which has been granted permission to access the Google Apps account. This same service account is later used for archiving email from Google Apps.

Creating a Project

Before MailStore is able to connect to Google Apps accounts a project has to be created. In Google's terminology, a project is the collection of all settings, credentials and meta data of an application that uses Google Developer APIs or Google Cloud resources.

  • Go to the Google Developers Console.
  • If prompted, login using a Google Account with administrative rights.
  • Select Create a project… from the Select a project drop-down list.
  • Name the project, e.g. MailStore API Access and click Create.
  • Once the project has been created, the Google APIs Library is shown.
  • In the library, enable Admin SDK and Gmail API.
  • In the dashboard, disable any other APIs that have may been enabled automatically during project creation.
  • In Credentials, select Service account key from the Create credentials drop-down list.
  • Select New service account from the Service account drop-down list.
  • Enter a name for the service account key. The service account does not need permissions on project level, therefore do not select a role.
  • Select the P12 key type and click on "Create.
  • Save the P12 file (e.g. MailStore API Access-e035d2ad4f35.p12) to a folder on the MailStore Server.
  • Close the Service account created dialog. MailStore Server does not require the private key password (i.e. notasecret)
  • Click on Manage service accounts.
  • Click on the ellipsis drop-down list (︙) and select "Edit".
  • In the "Edit service account" dialog, check the box Enable Google Apps Domain-wide Delegation.
  • If requested, enter MailStore as Product name for the consent screen.
  • Click on Save.
  • Click on View Client ID and note the client ID and the email address shown for use in the next step.

Grant access to the required APIs

Once created, grant the project access to the APIs used by MailStore Server's Directory Services module.

  • Go to your Google Apps domain’s Admin console.
  • Select Security from the list of controls. If you don't see Security listed, select More controls from the gray bar at the bottom of the page, then select Security from the list of controls. If you can't see the controls, make sure you're signed in as an administrator for the domain.
  • Select API reference from the list of options.
  • Enable the API access and save the changes.
  • Select Advanced settings from the list of options. If this section is not visible, click on Show more first.
  • Select Manage API client access in the Authentication section.
  • In the Client name field enter the service account's Client ID (e.g. 108878593494909748351).
  • In the One or More API Scopes field enter the following scopes:
    https://mail.google.com/, https://www.googleapis.com/auth/admin.directory.group.readonly, https://www.googleapis.com/auth/admin.directory.user.readonly
  • Click Authorize.

Accessing Directory Service Integration

  • Log on to MailStore Client as a MailStore Server administrator.
  • Click on Administrative Tools > Users and Archives > Directory Services.
  • In the Integration section, change the directory service type to Google Apps.
Gapps sync 01.png


Connection to Google Apps

For synchronization MailStore Server requires information on how to connect to the Google Apps.

  • Service Account
    The email address provided by the Google Apps Project (e.g. 1047453716425-4l533u425bp2m3lfp0c23ntf8mghlbmb@developer.gserviceaccount.com).
  • User Name
    The email address of a Google Apps Administrator (e.g. [email protected]).
  • Certificate
    To import, select the P12 file which was provided for downloading when creating the project.

User Database Synchronization

After configuring the connection settings as described above, you can specify filter criteria for the Google Apps synchronization in this section.

  • Sync only these groups
    Choose one or several Google Apps groups if you only want their members to be created as MailStore Server users. That way it's possible to exclude certain users from being synchronized to MailStore Server.

Options

  • Automatically delete users in MailStore Server
    Here you can choose whether users that have been deleted in the Google Apps Account will also be deleted in the MailStore Server user database by the synchronization. Users will also be deleted if they fall out of scope of the configured settings.
    Only MailStore Server users that have their authentication method set to Directory Services will be deleted.
    If the archive folder of such a user already contains archived emails, only the user entry but not its archive folder will be deleted in MailStore Server.

Assigning Default Privileges

By default, users that have been synchronized to MailStore Server from Google Apps Account have the privilege to log on to MailStore Server as well as read access to their own user archive.
You can configure those default privileges before synchronization, for example, to assign the privilege Archive E-mail to all new users. To do this, click on Default Privileges...
More information on managing user privileges and their effects is available in the chapter Users, Folders and Settings which also has details on editing existing privileges.

Running Directory Services Synchronization

Click on Test Settings to check synchronization configuration and the results returned by the Google Apps Account without any changes to the MailStore Server user database being actually committed.

To finally run the synchronization, click on Synchronize now. The results are shown with any changes committed to the MailStore Server user database.

ApplicationIntegration sync 02.png

Login with Google Apps Account Credentials

After synchronization MailStore users can log on to MailStore Server with their Google Apps Account username and Google Apps Account password.

Retrieved from "https://help.mailstore.com/en/server/index.php?title=Google_Workspace_Integration&oldid=5363"