Connecting to a Google Directory

admin

Product

This article relates to both LogonBox Cloud (Saas) and LogonBox On-prem (VM).

 

Introduction

This article shows you how to connect to a Google business domain for your user database.

 

Configuring Google for authentication

1. To begin, a new project must be created in your Google Developers Console if you don't have one already. Go to https://console.developers.google.com and login with a Google Account that has permission to manage users in the Google directory. From the Dashboard create a new project and assign a name that you will be able to identify for LogonBox. Click Create.

 

2. Select the new project from the dropdown at the top of the screen. You should now be looking at the APIs Dashboard.

 

Under the left hand menu, click Library, then locate the Admin SDK library, which should be visible in the G Suite section.

 

Click Admin SDK, then Enable. If this is already enabled, click Manage instead.

 

 

3. Next go to Credentials on the left menu, then click the link for Credentials in APIs & Services.

 

 

Click on the OAuth consent screen menu on the left and set Application type to Public and type an Application Name of your choice.

 

Whilst on this page, scroll down and set a value of Authorized Domains. This needs to match the hostname of your LogonBox server or the top level domain of your host. Click Save.

 

4. Click on the Credentials menu on the left, then from the Create Credentials drop down select OAuth client ID.

 

At the Create OAuth client ID screen, select Web Application.

 

5. New options will become available. First set a Name, next under the Restrictions section you need to provide addresses.

For Authorised JavaScript origins add two addresses (Note: Press tab or click outside the text box to add the URL, don't press enter as it will premeturely create the config).
    https://localhost
    https://LogonBoxURL

Replace LogonBoxURL with the address used by your users to connect to Access Manager.

 

Now in Authorised redirect URIs enter the same addresses with /completeWebAuth.html included in the path
    https://localhost/app/api/google/oauth/end
    https://LogonBoxURL/app/api/google/oauth/end

Now select Create to complete the account creation.

 

6. Take note of the Client ID and Client Secret that are provided, you will need these later and this is the only time you will be shown the secret.

Be careful when copying these as they have a tendency to add a space at the end when you copy, which you will need to remove before entering into LogonBox.

 

7. Now you will need to create a Service Account. From the Create Credentials drop down, this time select Service Account Key.

 

8. In the account creation set Service Account to New Service Account, give it a name, and set the Key Type to JSON. You can leave the Role section as Select a role.

 

Select Create to continue. On the Service account has no role popup, click Create without role.

The page will prompt you to download the JSON file, so save that, then click Close on the popup. The full text of this file will be required later.

 

 

9. Select the Manage Service Accounts link above the Service Account keys section.

 

On the far right of the new page click the three vertical dots menu for the service account. From here select Edit.

Expand the Show Domain-Wide Delegation section and tick Enable G Suite Domain-wide Delegation option then click Save.

 

10. Now select the View Client ID for the service account.

 

Make a note of the Client ID of the service account, note this down as the Service Account ID. Take care that this is different than the Client ID we already noted, we will need this for the last part of the Google admin configuration.

 

Click Cancel or Save to get back to the Service Accounts page.

Now navigate back to the APIs Credentials page by clicking on the top left menu, then APIS & Services->Credentials

 

Note that this same Service Account Client ID is visible from this same page, see how it differs from the Web application Client ID which we created earlier.

 

11. You will now have all the details you require for configuring a Google Directory in LogonBox, but there is one last setting in Google that needs to be configured.

 

Configure Google Security Settings

Go to your Google Apps Admin Console at https://admin.google.com/AdminHome and login with your Google admin account.

Select the Security option.

 

In the Security page click API Reference.