Ensure all groups/user creates in IAM Identity Store are via SCIM api and populate externalId field

[ChrisPates]

Is your feature request related to a problem? Please describe.
To enable, other improvements the creation/update/delete of users and groups needs to be consistently carried out via the SCIM api endpoints and not mixed with the Identity Store API. This will allow sync entities to be differentiated from manually created users. The only partial exception would be where a manually created entity matches an entity to be synced, in which case it would be updated via the SCIM apis and switch from being a manually created entity to a synced one.

Dependancies
#141
#142

Tasks

Preview Give feedback

1. Read Users.Id & Groups.Id strings from google.golang.org/api/admin/directory/v1
2. createUsers & createGroups, populate externalId field with .Id string via SCIM
3. Prefer match. based on id and externalId, then fallback to email/name match
4. detect users/groups that match (email/name) in the Identity Store and update with the externalId
5. deletion handling - If Users/Groups with an externalId but it no longer matches an Id in google, but the email/name matches then update with new id, if no match then make for deletion.

[philomory]

Would having this implemented also avoid situations where the change of a group's "Display Name" in Google Workspace causes ssosync to delete its existing representation of that group and create a new group with the new name? I'm hoping the availability of externalId would prevent that?

[ChrisPates]

Yes, it would. Sadly the current code does not make use of the external id field and relies on the display name for groups and email address for users.