Skip to main content
Sign in

Cloud Streaming - SSO - Google OIDC Setup Guide

Andrew Ricke
  • Updated
Not yet followed by anyone

This document is intended to be paired with Cloud Streaming - SSO - OIDC Configuration for users with Google Admin Console to manage their users.

 

You must start an SSO Configuration on your Cloud Portal Admin to continue below. It is best to configure both ends of this OIDC handshake together with 2 open windows or tabs on your browser.

 

For most of our customers using Google Workspace for user and directory management, we recommend using the SAML configuration option as an easier to configure and manage option.  This is provided for users familiar with OIDC via Google Cloud who know what advanced features within OIDC they are looking for.

 

Step 1 – Start Swank SSO OIDC Configuration

  1. Log Into your Swank Streaming Portal to the Admin section (e.g.: https://digitalcampus.swankmp.net/[your site ID]/admin or https://streaming.swankmp.net/[your site ID]/admin)
  2. Select SSO Configurations in the left menu
  3. Review the list of SSO Configurations for your portal
    1.  
    2. Legacy Providers:  If you've previously configured SSO via SAML or Google OAuth, you'll find their configuration listed at the bottom here.
      • Note: You cannot "upgrade" your existing OAuth configuration to our new Identity Service host - you must create a new OIDC configuration. 
      • The legacy configurations are deactivated automatically when a new SSO Provider is activated.  You can "fallback" to the legacy provider by deactivating the new provider(s).
    3. SSO Configurations  At the top of the page, see the list of available providers.  You can:
      • Activate or Deactivate existing configurations via the Active toggle.
      • Edit or Delete existing configurations via button actions
      • Add new SSO Configurations via the button at the Top.  (We'll continue this guide from this route)
  4. Click the Add Configuration button. 
  5. Choose the Provider Type of OIDC
  6. Display Name: This displays on the list of SSO Configurations as well as the button added to the Login page.

Step 2 – Create Google Cloud Project

  1. Log into your https://console.cloud.google.com/ account.
  2. On the Resource selection, create a new project
    • Make sure it is assigned to the Organization with the users you wish to grant access for.
    • Project name can be anything you prefer to stay organized.  Swank Cloud Streaming or Swank Digital Campus is recommended.
    • Click Create to generate the project

Step 2 – Setup Google Auth Platform

  1. Switch over to the Project created in Step 1
  2. In the menu, select Google Auth Platform > Overview
    • Click Get Started
  3. Complete App Information
    • App Name: Swank Cloud Streaming or Swank Digital Campus is recommended
    • User Support Email:  Your IT help contact address
    • Click Next
  4. Select Internal for Audience
    • Click Next
  5. Provide your IT support email for the Contact Information
    • Click Next
  6. Finish: Agree to the Google API Services User Data Policy
    • Click Continue
    • Click Create

Step 3 – Create OAuth Client

  1. On Overview you will find CREATE OAUTH CLIENT or navigate to the Clients page and client + CREATE CLIENT
  2. Complete the form
    • Application type: Web application
    • Name:Swank Cloud Streaming or Swank Digital Campus is recommended
  3. Add Authorized JavaScript origins - Adding both subdomains below are recommended
     
  4. Click Create to generate the client and then go back into the edit form:
  5. Take the first generated Client ID and Client secret and provide them to the OIDC configuration on your Cloud Portal:
    • Click Save to generate a Callback Path
  6. Add your generated Callback Path to the Authorized redirect URIs within the Client ID form:

Step 4 – Update Branding

  1. Navigate to the Branding page
  2. Add an App Logo - You may use one of the below
  3. Complete the App domain section
  4. Add Authorized domains
    • Add Authorized Domains for each email domain your users will be utilizing under your directory
    • These must not be public email domains such as gmail.com - they must be private domains used in your directory.
       
  5. Verify that Developer Contact information is correct
    • This must the be contact for who will be supporting this OIDC connection
  6. Click the Save button

 

Step 5 – Provide Necessary Data Access Scopes

  1. Navigate to the Data Access page
  2. Click ADD OR REMOVE SCOPES
  3. Check the first 3 options for providing non-sensitive scopes:
     
    • /auth/userinfo.email
    • /auth/userinfo.profile
    • openid
  4. Click Update to save changes

Step 6 – Optional: Advanced Sensitive Data Access Scopes

For advanced mapping to roles you can optionally provide sensitive scopes:

    1. Navigate to the APIs & Services > Library page
    2. Search for the Admin SDK API
      • Click Enable for this API
    3. Return to the Google Auth Platform > Data Access page and click ADD OR REMOVE SCOPES to add one or more of the following:
      • https://www.googleapids.com/auth/admin.directory.user.readonly
      • https://www.googleapids.com/auth/admin.directory.orgunit.readonly
      • https://www.googleapids.com/auth/admin.directory.group.readonly
      • You may need to enter the above into the property name filter to find easier:
    4. Click Update to save changes
    5. To Enable these Scopes to be read by your portal, please contact Support and provide the full path to the above Scopes.  They can add these to your advanced configuration options.

Step 7

Role Mapping, User Authorization, and Permission Elevation

All successful authentications will be authorized at the "Basic" or "User" account levels (role) by default depending on the market. To elevate permissions to a higher permission level for Instructors or Administrators you will need to add Role Mappings to grant this elevation either by Attribute Value or Individual UserID. For more information on Account Level Permissions, please see the following article: 
https://swankmp.zendesk.com/hc/en-us/articles/5723258435092-Cloud-Streaming-User-Account-Roles

 

There are 3 methods of providing roles and are respected in the following order - with the former values overriding any latter options.

  1.  Claim/Attribute of "role" directly provided by your Identity Provider
  2.  Role Mapping on the Portal's SSO Configuration
  3.  The Portal Default "User" or "Basic" role (Set by your Swank support)

Option 1: Identity Provider Role Assignment (Recommended)

Your Identity Provider can provide a Claim or Attribute for each User with the Name of "role" and the Value of one of our available user roles:  "Admin", "Instructor", "User", or "Basic".  This allows your Identity Provider Admin to set the roles based on policies and rules aligned with your organizations larger technology access strategy and to manage that access centrally at your User Directory.

Each Identity Provider has a different method for handling this action, below are some examples for Google and Azure for reference.

For Google:

  1. Go to Users and under More options, choose Manage custom attributes
  2. Add a Custom Attribute: Choose any name you'd like for tracking.
  3. Assign that Custom Attribute to an App Attribute of "role" in the SAML Attribute mappings.
  4. Make sure the User Information in Google Directory populates that Custom Value correctly for each user:

For Azure:

  1. Add a User Attribute such as 'SwankRole' that has a Data Type of String
  2. Define this string for your users as required
  3. In your Azure SAML Configuration, go to the Attributes & Claims and click Add new claim 
  4. Edit the Name values to role, and map the  Source attribute to the User Attribute created in step 1

 

You can verify you have "Role" attribute provided by checking your diagnostics while logged in under the desired SSO setup.  Log into your Portal's catalog, appending /diagnostics to the URL:  (e.g.: https://digitalcampus.swankmp.net/[your site ID]/diagnostics or https://streaming.swankmp.net/[your site ID]/diagnostics)

 

Option 2: Role Mapping via Attributes

To use this, you will need to identify or create an attribute that defines the user group(s) (such as a department) and differentiates them from the general population (students). Those attributes must be provided to your SSO configuration via your Identity Provider.  You can see what attributes are currently being delivered in your SAML statement via checking your diagnostics.
 

Log into your Portal's catalog, appending /diagnostics to the URL:  (e.g.: https://digitalcampus.swankmp.net/[your site ID]/diagnostics or https://streaming.swankmp.net/[your site ID]/diagnostics)

 

Under Access Token you will find the available attributes available to role map. 

In this example, you can see the attribute "department" has a value of "adminDepartment". We will use this as an example as to how to grant "Admin" permissions to all users with this attribute value: 

  1. While editing the SSO Provider, go to the Claims Role Mappings table, click Add Role Mapping
  2. In the Add Role Mapping pop-up window, for this example you would enter:
    Claim Name: "department"
    Claim Value: "adminDepartment"
    Role: "Admin"
     
  3. Click Save, You will now see your Role Mappings in the listing

You may add as many of these as needed for Instructor and Administrator permissions.   You can see from the example above, you can use direct email addresses, or even these can be based on Groups, such as email groups provided by Google:

 

Final Step

Make Configuration Active

Once you configured your OIDC Identity Provider, and determined your User's roles, remember to click the Activate toggle on the SSO Configuration page for your chosen Provider(s). If you are currently viewing the SSO Configuration detail page, you can click the "Go Back" link at the top of the page or click SSO Configuration from the side menu.

  • Toggle Active to the On position for your new SSO Configuration.

Recently viewed articles

Related articles

Comments

0 comments

Article is closed for comments.

Powered by Zendesk