Links

Google G Suite

This document describes how to integrate Google G Suite using OpenID Connect with Naviga ID.

Prerequisites

The following steps in this document requires that you have a working G Suite directory https://gsuite.google.com/.

Generate a Client ID and Client Secret

1. Login to your Google account and go to the API Manager
2. Click on Select a project dropdown and choose that project you want to use or create a new one.
3. Click on Create credentials and select the OAuth client ID
4. Google show a banner saying "To create an OAuth client ID, you must first set a product name on the consent screen". Click on Configure consent screen
5. Type the Product Name that will be shown to the users when they log in through GSuite, add infomaker.io as an Authorised domain and click Save.
6. Now we will fill in information about the app. Start with selecting Web application and provide a name for your app.
8. Under Restrictions, fill in following information:
  • Authorized JavaScript origins: https://imas.imid.infomaker.io, https://imas.stage.imid.infomaker.io
  • Authorized redirect URI: https://imas.stage.imid.infomaker.io/v1/org/<OrganizationName>/login-callback, https://imas.imid.infomaker.io/v1/org/<OrganizationName>/login-callback
<OrganizationName> should be replaced with a name given to you by Naviga.
9. Click on Create and your Client ID and Client Secret will now be displayed.

Enable the API access

1. From the Admin console Home page, go to Security > API reference.
2. Check the Enable API access box.
3. Click save.

Enable Admin SDK

  1. 2.
    Search for Admin SDK
  2. 3.
    Click on Admin SDK and click on Enable

Create a Service Account for Fetching User Groups

If you want Naviga Login to be able to fetch groups for the logged in user, a service account is required.
Create a service account and delegate domain-wide authority to it by following this guide: https://developers.google.com/admin-sdk/directory/v1/guides/delegation.
The following scopes are required to fetch user groups: https://www.googleapis.com/auth/admin.directory.group.readonly
Access to the G Suite Admin SDK requires impersonating a user with access to the Directory API:
Note: Only users with access to the Admin APIs can access the Admin SDK Directory API, therefore your service account needs to impersonate one of those users to access the Admin SDK Directory API. Additionally, the user must have logged in at least once and accepted the G Suite Terms of Service.

Gather The Required Information and Speak With Your Naviga Contact

The information needed by Naviga to complete the integration
  • URL to your OpenID provider metadata file (.well-known/openid-configuration)
  • Client ID
  • Client secret
  • Private key file of the created service admin in JSON format
  • Email address or user ID of a user with access to the Directory API
  • Domain for which to retrieve the user groups