RapidIdentity Product Guide

Configure OAuth2 for G-Suite Adapter

Standard vs. Extended

As of version 4.1, the G-Suite Adapter supports two different forms of OAuth2 authentication. The original form (credential type GOOGLE, used with defineGoogleOAuthCredential()) is based on the Installed Applications scenario. For most uses, this form is the easiest to configure and use, and is sufficient for most usages of the G-Suite Adapter.

The new form ((credential type GOOGLE_EXTENDED, used with defineGoogleExtendedOAuthCredential())) is based on the Service Account scenario. While more difficult to configure and use, this form provides some additional flexibility to impersonate any user within the domain without needing explicit approval from each user, which, in conjunction with the new callGoogleAPI() action, allows you to do things such a manage Calendars and Google Drive files for individual users, which an admin account would not normally be able to do.

Note

The User Interface for the Google Cloud Platform Console changes from time to time so the exact steps may be different than what is listed below.

Creating a Google Cloud Platform project (GOOGLE & GOOGLE_EXTENDED)

Both GOOGLE and GOOGLE_EXTENDED credentials require the creation of a Google Cloud Platform project. A single project can be used for multiple credentials of either type, with the limitation that the credentials within the same project will all share the same G-Suite API Quotas.

  1. Log into Google using credentials that you want to own the Client ID and Client Secret.

  2. Browse to Google Cloud Platform Console aka Google Developers Console and select the project created above.

  3. Click the Create Project button and name the project something appropriate like “Connect Google Adapter for MyCompany”.

  4. If not already selected, click on the newly created project to select it.

  5. Click on the menu button at the top left of the page, and select API Manager.

  6. Select Dashboard in the left sidebar.

  7. Click the ENABLE API link and enable the following APIs:

    • Admin SDK (required)

    • Calendar API (optional - only needed if provisioning calendar resources or trustees)

    • Contacts API (optional - only needed if provisioning shared contacts)

    • Group Settings API (optional - only needed if using Google Groups for Business/Education and want control group settings)

    • Google Classroom API (optional - only needed if you will be using the Google Classroom Adapter)

  8. There will be several other APIs that were enabled by default: you may disable them if desired.

  9. Note that you may come back at any time and enable/disable APIs.

Creating a Client ID/Secret (GOOGLE)

A Client ID and Client Secret are needed to create a standard GOOGLE OAuth2 Credential.

  1. Navigate to Google Cloud Platform Console and select the project created above.

  2. Click on the menu button at the top left of the page, and select API Manager.

  3. In the sidebar on the left, select Credentials.

    1. Select OAuth consent screen tab

      1. The consent screen settings control what is presented when creating the OAuth2 Credential in Connect.

      2. Select an email address if not already selected.

      3. Set the product name to RapidIdentity.

      4. (Optional) Set the Homepage URL to http://www.identityautomation.com/

      5. (Optional) Set the product Logo to http://downloads.identitymgmt.net/icons/IA_icon_120_inverse.png

      6. Click the Save button.

    2. Select Create Credentials tab.

      1. Click the Create credentials button and select OAuth client ID.

      2. Select the Other radio button and enter RapidIdentity in the Name field.

      3. Click the Create button and then OK.

    3. Click the Download JSON button to save an offline copy of the Client ID and Client Secret. Make sure it is stored somewhere secure.

      88474700.png

Creating and Authorizing a Service Account Key (GOOGLE_EXTENDED)

A Client ID and Client Secret are needed to create a standard GOOGLE OAuth2 Credential.

  1. Navigate to Google Cloud Platform Console and select the project created above.

  2. Click on the menu button at the top left of the page, and select API Manager.

  3. In the sidebar on the left, select Credentials.

    1. Select Create Credentials tab.

      1. Click the Create credentials button and select Service account key.

      2. In the Service Account drop-down, select New service account.

      3. Enter an appropriate Service account name.

      4. Select the Project -> Service Account Actor role (or if actor role does not exist then 'owner' will work too)

      5. Leave the Service account ID default value

      6. Make sure JSON is selected as the Key type.

      7. Click the Create button and then OK.

      8. A JSON file will be downloaded containing the account information. Make sure it is stored somewhere secure.

      9. Press the close button.

      10. Click the Manage service accounts link.

      11. Click the More actions button in the row corresponding to your newly created service account and select Edit. If that button is not visible you may need to scroll to the right.

        88474699.png

      12. Select the Enable G-Suite Domain-wide Delegation checkbox, and press Save.

  4. To authorize the Service Account Key to access a Google domain:

    1. Login to Google Admin Console as a User with Super Admin role.

    2. Click on Security.

    3. Click on Show more.

    4. Click on Advanced settings.

    5. Click on Manage API client access

    6. Open the JSON file that was downloaded when you created the Service Account Key. Copy the value of the client_id field (without the enclosing quotes) and paste into the Client Name field in the browser.

    7. Enter the scopes you want to grant access to, separated by commas, in the One or More API scopes field and press the Authorize button. A list of available scopes is available at: https://developers.google.com/identity/protocols/googlescopes

    8. Additional scopes may be added later by repeating the previous two steps.

Creating an Administrator account (GOOGLE & GOOGLE_EXTENDED)

You will need an account with Administrator privileges in the domain you want to manage. While you can use the default administrative account, it is usually a good idea to create a separate User and grant the necessary administrative privileges.

Creating a GOOGLE OAuth2 Credential in Connect

  1. In Connect, go to Configuration > OAuth2 Credentials tab.

  2. Select the project you want the credential associated with or select * to create a credential that may be used by all projects.

  3. Click the Add… button and select GOOGLE.

  4. Give the credential a name (must be unique within the project.)

  5. Enter the Client ID and Client Secret created above in the corresponding fields.

  6. Enter the email address of G-Suite administrator account you wish to use in the Username field.

  7. Review the permissions that will be requested. The default selection represents the permissions that are required for the G-Suite adapter to be fully functional, but if you don't need all the capabilities you may wish to adjust the requested permissions.

  8. Click the Request OAuth Credential button.

  9. Press OK to redirect to Google to authorize the credential.

  10. If necessary, log in to the G-Suite administrator account you entered above.

  11. Review the requested permissions. All the permissions used by the G-Suite adapter are selected by default, but those used by other auxiliary adapters (such as Google Classroom) are not.

  12. You may also add additional desired scopes for use with callGoogleAPI() by pressing the Add Custom... button.

  13. Press the Accept button. You will be sent to a new browser window or tab that may ask you to log in and authorize the credential request.

  14. Select and copy the code from the resulting page.

  15. Switch back to the Connect tab or window, paste the code, and press the OK button.

Creating a GOOGLE_EXTENDED OAuth2 Credential in Connect

  1. In Connect, go to Configuration > OAuth2 Credentials tab.

  2. Select the project you want the credential associated with or select * to create a credential that may be used by all projects.

  3. Click the Add… button and select GOOGLE_EXTENDED.

  4. Give the credential a name (must be unique within the project.)

  5. Open the JSON file you received when you created the Service Account Key and copy and the paste the contents into the Google Service Account JSON field.

  6. Press the Create button.

Creating a G-Suite connection using GOOGLE OAuth2 Credential

  1. Insert the defineGoogleOAuthConnection() action.

  2. Enter the domain.

  3. After selecting the credentialName field, select OAuth2 Credential… in the combo box.

  4. Select the desired credential in the dialog and press OK.

Creating a G-Suite connection using GOOGLE_EXTENDED OAuth2 Credential

  1. Insert the defineGoogleExtendedOAuthConnection() action.

  2. Enter the domain.

  3. After selecting the credentialName field, select OAuth2 Credential… in the combo box.

  4. Select the desired credential in the dialog and press OK.

  5. Enter the Google User ID of the account you wish to use in the impersonateUserId field

  6. Enter an array of scopes to authorize for the connection. The set of scopes must be a subset of those that were authorized for use by the Service Account Key for the domain.

Deleting an OAuth Credential

  • In Connect, go to Connect > OAuth2 Credentials. Select the credential and press Delete.

In this section: