Introduction

This document provides instructions for configuring Directory Synchronization and Authentication with Google Workspace.  

Step 1

Create a User and Custom Administrator Role

• Login to the Google Admin Console  https://admin.google.com/
• Create a User that will be used for the Konverse Service Account. 
• Create a Custom Administrator Role with "Read" access to the areas listed below
  • Organization Units
  • Users
  • Groups
• Add the User to the Role

Step 2

Enable the Admin SDK

• Login as a G Suite admin to https://console.cloud.google.com/apis/dashboard
• Click on Select a Project 
• Click Create a New Project
• Enter a name in the Project Name Field for example, KonverseAPIDirectoryAccess
• Select the Organization and the Location
• Click Create  

Step 3

Create a Service Account

• Login to the Google API Console https://console.cloud.google.com/apis/dashboard
• From the navigation menu click on Credentials 
• Select Manage Service Accounts 
• Click Create Service Account
• Complete the fields for the new Service Account and click Create
• In the Role drop-down select Service Accounts - Service Account User 

• Click Continue 

• Under Grant Users Access to this Service Account add the user you created in step one in the Service account users role field and click Done

• Click the three dots under actions and select Manage Keys

• Click Add Key and Select Create New Key

• Select json

• The key should download automatically.  You’ll need to provide the json file to Konverse, along with the email address of the user you created for the service account.

• Go back to the Service Account 

• Click on the three dots under actions and select Manage Details

• Click Enable Google Workspace Domain Wide Delegation 

• Click Show Domain Wide Delegation and record the Client ID which is needed for the next step. You will need to complete the consent screen for your users to give approval.

Step 4

Authorize the Service Accounts Client ID 

• Login to the Google Admin Console https://admin.google.com/
• Go to Security
• Select API Controls
• Click on the Manage Domain Wide Delegation link.
• Click on the Add New button.
• Enter the Client Id from step 14 of the previous section
• Specify the following in the OAuth Scopes field in a comma separated list                         https://www.googleapis.com/auth/admin.directory.group.readonly,                               https://www.googleapis.com/auth/admin.directory.user.readonly,                       https://www.googleapis.com/auth/admin.directory.group.member.readonly
• Send the json file and email address of the service account to support@konverse.com 

Configuring Authentication with Google Workspace

If you plan on allowing your users to authenticate to the App using their Google credentials please follow the steps below.

• Login to the Google API Console https://console.cloud.google.com/apis/dashboard
• Select the KonverseAPIDirectoryAccess Project
• Click Credentials – Create Credentials – OAuth client id
• Select Web Application as the application type
• Enter a name For example, KonverseAuth
• Under Authorized Java Script Origins click Add URI
• Enter the URL for you Konverse application  https://{subdomain}.konverse.com
• Under Authorized Redirect URIs click Add URI
• Enter the URL below, changing the subdomain to be your domain and the Server ID to be the auth server id provided by Konverse support.  https://{subdomain}.konverse.com/return_from_google/{server_id_provided_by_konverse}/google_auth.json
• Click Create
• You will be given an OAuth client ID and a client secret.  Click OK   
• In the OAuth 2.0 client IDs list select KonverseAuth
• Download and send the json file to Konverse.