1

I am capturing the logins of my org users into slack using google workspace admin reports API as mentioned in the doc here: https://developers.google.com/admin-sdk/reports/v1/appendix/activity/saml#login_success

I want to identify the workspace that these users are login into. How can I identify this?

Here's the sample response that I get from the reports API:

{
  "kind": "admin#reports#activities",
  "etag": "\"SsISqFfgRYY11XaGpPyQF5FTf1EAwqUmKLMPaD85FHw/evu1UTmScwnBzMj7rPtBftM3N2k\"",
  "items": [
    {
      "kind": "admin#reports#activity",
      "id": {
        "time": "2022-05-25T17:51:08.913Z",
        "uniqueQualifier": "35251594669533645",
        "applicationName": "token",
        "customerId": "C02a9qd29"
      },
      "etag": "\"SsISqFfgRYY11XaGpPyQF5FTf1EAwqUmKLMPaD85FHw/U-RQigEfldlDShA5VdJAIizlnsQ\"",
      "actor": {
        "email": "vibhu@cloudeagle.ai",
        "profileId": "116721330888590133060"
      },
      "ipAddress": "18.206.76.246",
      "events": [
        {
          "name": "authorize",
          "parameters": [
            {
              "name": "client_id",
              "value": "606092904014-s1u3idjanlbhr4ns5b1hcjgfn63cr9nh.apps.googleusercontent.com"
            },
            {
              "name": "app_name",
              "value": "Slack"
            },
            {
              "name": "client_type",
              "value": "WEB"
            },
            {
              "name": "scope_data",
              "multiMessageValue": [
                {
                  "parameter": [
                    {
                      "name": "scope_name",
                      "value": "openid"
                    },
                    {
                      "name": "product_bucket",
                      "multiValue": [
                        "IDENTITY"
                      ]
                    }
                  ]
                },
                {
                  "parameter": [
                    {
                      "name": "scope_name",
                      "value": "https://www.googleapis.com/auth/userinfo.email"
                    },
                    {
                      "name": "product_bucket",
                      "multiValue": [
                        "IDENTITY"
                      ]
                    }
                  ]
                },
                {
                  "parameter": [
                    {
                      "name": "scope_name",
                      "value": "https://www.googleapis.com/auth/userinfo.profile"
                    },
                    {
                      "name": "product_bucket",
                      "multiValue": [
                        "IDENTITY"
                      ]
                    }
                  ]
                }
              ]
            },
            {
              "name": "scope",
              "multiValue": [
                "openid",
                "https://www.googleapis.com/auth/userinfo.email",
                "https://www.googleapis.com/auth/userinfo.profile"
              ]
            }
          ]
        }
      ]
    },
}

I am wondering if it is possible to identify the slack workspace from the above response or would it need other API endpoints and parameters.

vibhu jain
  • 51
  • 3

1 Answers1

2

keep in mind SAML is an authentication method that allows a Service Provider such as Slack in this scenario, use Google credentials as Identity Provider (IdP). That being said once the Authentication flow is completed usually the IdP doesn't have any control or access to the app activity.

In other words once the login is completed Google is blind about what users do in the app interface.

For that reason I am afraid what you are trying to achieve is not possible. In the Google Reports API link you shared data you can obtain is limited to failed/successful login details.

Testing the call to the Reports API you can see there is no additional details useful to your purpose:

enter image description here enter image description here

Douglas Alfaro
  • 46
  • 4
  • Why the Client Id is different for some of the response data? Could that be related to workspace and if not what does it corresponds to? – vibhu jain Jun 09 '22 at 14:18