If you're having trouble at any stage please contact us at support@skyformation.com.
Preface
The goal of this guide is to add a new SkyFormation's Google Apps Cloud App Connector to your SkyFormation Platform.
Prerequisites
- Allow access to the entire *.skyformation.net addresses over SSL from the desktop
which will be used by the Google Apps admin to on-board the SkyFormation Google Apps
connector (only needed for the on-boarding process)
How to validate:
(1) Open a browser
(2) Go to https://auth.skyformation.net
(3) You should see a blank page with HTTP 200 OK response in the network
- Make sure your G Suite edition is either Business or Enterprise one
(should be done by a G Suite administrator)
To validate this browse to the Google Apps admin console https://admin.google.com navigate to
the Billing tab and look for the below indication:
For more about the Google Apps for Work editions go to:
https://apps.google.com/intx/en/pricing.html
- Enable API access
(should be done by a G Suite administrator)
At Google Apps admin console go to Security->API reference and mark the below option
- Actions to take based on the cloud connector "Authentication Method" you will choose
The main differences between the two options is that with the "OAuth2" option a G Suite
administrator will have to be involved interactively in the SkyFormation G Suite cloud connector
onboard process. In the second option of "service-account" the G Suite administrator will be
asked to prepare an authorization file and send the file to the SkyFormation admin.
That authorization file will be used by the SkyFormation admin when onboarding the
SkyFormation G Suite cloud connector.
(Authentication Method option I) "OAuth2"
Make sure a person with G Suite admin rights is present when onboarding the
SkyFormation G Suite cloud connector.
Explanation
The process of adding the connector involve an interactive action of authorizing the
SkyFormation G Suite cloud connector to communicate with the G Suite account and
retrieve relevant logs, events and data for the security monitoring.
(Authentication Method option II) "service-account"
A G Suite administrator will need to create a file (called "Service-Credentials-Json")
which authorizes the G Suite cloud connector (or anyone else who possess it)
to communicate with the G Suite account and retrieve relevant logs, events and data
for the security monitoring.
To create the "Service-Credentials-Json" JSON file ask the G Suite administrator to
follow the instructions at [Creating a "Service-Credentials-Json" file].
Send the JSON file created in a very secure way to the SkyFormation administrator
to be available at the G Suite cloud connector onboard process steps described
below.
Steps
1. Logon to your SkyFormation Platform:
2. Navigate via left navigation panel to "Settings" section
3. Navigate via New Settings left navigation panel to "Accounts" section
4. Click the "Add Account" bottom
5. At the "SELECT SERVICE TO ADD" choose "Google Apps Google"
You will see the below screen:
5. Choose from the list the tenant to attach the connector to
e.g. "default-tenant"
6. Fill in the following information:
- Account Name
Give this Google Apps connector a meaningful name for you. The will become your cloud app
connector name displayed in the SkyFormation platform and added to entire events sent to
your SIEM/Log/Splunk system as identifier.
e.g. "Corporate Google Apps platform"
- Description
Add any text that describe the specific cloud app connector function and meaning for the
business.
e.g. "Corporate email and file sharing platform using Google Apps"
6. Choose the "Authentication Method" you would like the connector to use
"oauth2" / "service-account"
7.1 If you choose "oauth2" as the authentication method to use
- Authorize the cloud connector to communicate with the G Suite account
(should be done by a G Suite administrator)
Press the button
This will popup a new window with "Request for permission" ask the Google Apps super
admin for permission to allow SkyFormation connector to integrate with the Google Apps
application.
If you are OK with the permissions requested by the connector
Press on "Allow" to grant the permissions.
Go to 8 when done
7.2 If you choose "service-account" as the authentication method to use
You should see a screen similar to the following:
- Fill in the Service-Credentials-Json
Copy and paste the entire content of the JSON file created by the G suite
administrator for the connector to here
- Fill in the Admin-Username
In here you should put the username of any of the G Suite administrator the cloud
connector will use when communicating with the G Suite admin API.
8. Test the settings correctness
Press the "TEST CONNECTION" button
If you see a green OK sign appears as above you have completed the onboard successfully.
- Click "SAVE" button
9. Start the new connector
When a new cloud connector is added its default state is STOPPED.
To start it press its START button.
DONE !
Comments
0 comments
Please sign in to leave a comment.