Introduction
This document provides instructions for configuring Directory Synchronization and Authentication with Google Workspace.
Step 1
Create a User and Custom Administrator Role
- Login to the Google Admin Console https://admin.google.com/
- Create a User that will be used for the Konverse Service Account.
- Create a Custom Administrator Role with "Read" access to the areas listed below
- Organization Units
- Users
- Groups
- Add the User to the Role
Step 2
Enable the Admin SDK
- Login as a G Suite admin to https://console.cloud.google.com/apis/dashboard
- Click on Select a Project
- Click Create a New Project
- Enter a name in the Project Name Field for example, KonverseAPIDirectoryAccess
- Select the Organization and the Location
- Click Create
- After creating the project select Enable APIs and Services
- Search for Admin SDK
- Open Admin SDK from the search results and click Enable
Step 3
Create a Service Account
- Login to the Google API Console https://console.cloud.google.com/apis/dashboard
- From the navigation menu click on Credentials
- Select Manage Service Accounts
- Click Create Service Account
- Complete the fields for the new Service Account and click Create
- In the Role drop-down select Service Accounts - Service Account User
Click Continue
Under Grant Users Access to this Service Account add the user you created in step one in the Service account users role field and click Done
Click the three dots under actions and select Manage Keys
Click Add Key and Select Create New Key
Select json
The key should download automatically. You’ll need to provide the json file to Konverse, along with the email address of the user you created for the service account.
Go back to the Service Account
Click on the three dots under actions and select Manage Details
Click Enable Google Workspace Domain Wide Delegation
Click Show Domain Wide Delegation and record the Client ID which is needed for the next step. You will need to complete the consent screen for your users to give approval.
Step 4
Authorize the Service Accounts Client ID
- Login to the Google Admin Console https://admin.google.com/
- Go to Security
- Select API Controls
- Click on the Manage Domain Wide Delegation link.
- Click on the Add New button.
- Enter the Client Id from step 14 of the previous section
- Specify the following in the OAuth Scopes field in a comma separated list https://www.googleapis.com/auth/admin.directory.group.readonly, https://www.googleapis.com/auth/admin.directory.user.readonly, https://www.googleapis.com/auth/admin.directory.group.member.readonly
- Send the json file and email address of the service account to [email protected]
Configuring Authentication with Google Workspace
If you plan on allowing your users to authenticate to the App using their Google credentials please follow the steps below.
- Login to the Google API Console https://console.cloud.google.com/apis/dashboard
- Select the KonverseAPIDirectoryAccess Project
- Click Credentials – Create Credentials – OAuth client id
- Select Web Application as the application type
- Enter a name For example, KonverseAuth
- Under Authorized Java Script Origins click Add URI
- Enter the URL for you Konverse application https://{subdomain}.konverse.com
- Under Authorized Redirect URIs click Add URI
- Enter the URL below, changing the subdomain to be your domain and the Server ID to be the auth server id provided by Konverse support. https://{subdomain}.konverse.com/return_from_google/{server_id_provided_by_konverse}/google_auth.json
- Click Create
- You will be given an OAuth client ID and a client secret. Click OK
- In the OAuth 2.0 client IDs list select KonverseAuth
- Download and send the json file to Konverse.