Cloud Streaming - Google Gsuite Oauth SSO Integration

Note: GSuite users are strongly advised to use SAML authentication instead of OAuth wherever possible.  SAML configurations are faster, simpler, more powerful and less brittle.

Table of Contents

1. Enable API Access
2. Create a New Role
3. Create User for G-Suite Admin Account
4. Assign the S3API Role to the New User
5. Create Project for Streaming Server Integration
6. Enable Admin SDK
7. Create Service Account
8. Update Service Account
9. Manage API Client Access
10. Configure Digital Campus Portal
11. Activate
12. Troubleshooting Login Issues

1. Enable API Access

1. Login to your G Suite admin console at https://admin.google.com as an administrator
2. Familiarize yourself with granting OAuth access to your G Suite implementation. You may find this Google documentation useful: 
   https://support.google.com/a/answer/7281227
3. Ensure that Swank will have read access to the Admin SDK, Directory API, Users endpoint.

2. Create a new role

1. Go to the admin roles: Click on the main menu (image below) > Account> Admin roles
   1. 
2. Click CREATE A NEW ROLE
3. Name the new role S3APIand click Continue
4. You will see a screen where you can assign privileges. Assign the following privileges by checking the appropriate boxes:
   1. Admin Console Privileges > Organizational Units > Read
   2. Admin Console Privileges > Users > Read
   3. Admin API Privileges > Organizational Units > Read
   4. Admin API Privileges > Users > Read
   5. Admin API Privileges > Groups > Read
   6. Admin API Privileges > Schema Management > Schema Read
   7. Click Continue
   8. Click Create Role
      • 

3. Create User for G Suite Admin Account

1. Click on the main menu (image below) > Directory> Users
   1. 
2. Add a new user named gsuites3api
   1. Click Add new user
   2. First name: gsuite
   3. Last name: s3api
   4. Primary email: gsuites3api
   5. Click Manage user’s password, organizational unit, and profile photo
      • 
   6. Click Create password
   7. Create a password of your choice. We will not need this password, only the user's email.
   8. Be sure to deselect Ask for a password change at the next sign-in
   9. Click ADD NEW USER
      1. 

4. Assign the S3API Role to the New User

1. Click on the main menu (image below) > Directory > Users
   • 
2. Locate user gsuite s3api and click on that username. You will see user information, security, groups, admin roles and privileges, etc. for this user.
3. Locate the Admin roles and privileges section and click ASSIGN ROLES
   •  
4. Assign the S3API role and click SAVE
   • 

5. Create Project for Streaming Server Integration

1. Go to https://console.cloud.google.com/cloud-resource-manager
2. Click CREATE PROJECT
   • 
3. Enter the project name Swank Streaming Server and select your location / organization.
   • 

6. Enable Admin SDK

1. Go to API Library https://console.cloud.google.com/apis/library
2. Search for Admin SDK
   1. Admin SDK API allows administrators of enterprise domains to view and manage resources like user, groups etc. It also provides audit and usage reports of domain.
      • 
3. Select Admin SDK API
4. Click Enable

7. Create Service Account

1. Go to the API & Services Dashboard at https://console.cloud.google.com/apis/
2. Make sure that the Swank Streaming Server project is selected
   • 
3. Click Credentials on the left navigation menu
   • 
4. Click Create credentials and select Service account key
   1. 
5. Enter OAuthForStreamingServer as the service account name and click Create and Continue
   • 
6. Click Select a role > Service Accounts >Service Account User
   • Note: This step is not optional and is required for our streaming server.
     • 
7. Click Continue
8. Click Done

8. Update Service Account

1. Make sure you are still on https://console.cloud.google.com
2. Click on the Main Navigation Menu > APIs & Services > OAuth consent screen
   1. 
3. If requested select Internal for your organization.
4. For Application name enter Swank Streaming Server
5. User support email should be your local support group
6. Developer contact information should also be your local support group
   • 
7. Click Save and Continue
8. No changes under Scopes, click Save and Continue
9. No changes under Optional info, click Save and Continue
10. Click Back to Dashboard under Summary
11. Click Credentials on the left navigation menu
12. You will see a screen with sections API Keys, OAuth 2.0 Client IDs and Service Accounts
13. In the Service Accounts section, click on the pencil icon to edit the newly created service account OAuthForStreamingServer
    1. 
14. Under the Keys section click Add Key > Create new key
    • 
15. Key type should be JSON
16. Click Create and save that "JSON" file. You will need this to import into the Swank admin portal.
    • This will create a file that you will need later to configure the Streaming Server. Save this file and reserve this for Step 10
17. Under the Details tab select Show Advanced Settings.
18. Click Create Google Workspace Marketplace-Compatible OAuth Client
    • 
19. Click APIs & Services >Credentials on the left navigation menu
20. Under the OAuth 2.0 Client IDs, click the copy icon under the Client ID column. You will need it in the next steps.
    • 

9. Manage API Client Access

1. Go to https://admin.google.com/ac/owl/domainwidedelegation
2. Click the "Add new" button that appears at the top of the page
   1. 
3. Enter the Client/Unique ID number that was copied in step 8.20
4. For the OAuth scopes field enter the following URL string exactly - https://www.googleapis.com/auth/admin.directory.user.readonly
5. Click Authorize
   • 

10. Configure Digital Campus Portal

1. Navigate to your Digital Campus portal administrative page
2. Select the "Google OAuth" area in the left-hand panel
3. Upload Service Account Credentials (JSON file saved in previous step 8.16)
4. Enter the name of your G Suite admin account (including the domain) in the "G Suite Admin Account" field.
   1. This is the name of the account as created in step 3.2.4
   2. Example: gsuites3api@schoolname.edu
5. Enter a list of any Organizational Units that will require elevated privileges to your portal in the "Manage Authorization Roles" area.
   1. NOTE: You will want to enter the immediate parent OU of the users who will need elevated privileges.
      • For example, if a teacher resides in an OU hierarchy such as:

        •                        - School Name
                                    - Staff
                                       -Teachers

          You would need to enter the "Teachers" OU, not "Staff" or "School Name."

   2. Each OU that requires elevated privileges will need to be mapped to a role.
      • Teachers and faculty should be mapped to the Instructor role.
      • Administrators can optionally be mapped to the Admin role.
      • K-12 students will be automatically given the Basic role and do not need to be mapped to a role.
      • College or university students will be automatically given the User role and do not need to be mapped to a role.
   3. For each organizational unit that contains users who need elevated privileges to the Streaming Server:
      1. Enter the name of that organizational unit in the Manage Authorization Roles area on your streaming portal.
         • 
         • 

1. 1. To review your current Organizational Unit hierarchy, go to: https://admin.google.com 
   2. Click on the left navigation menu > Directory > Organizational Units
      • 
   3. You will see a hierarchical list of your organizational units.

11. Activate

Once you have completed your configuration remember to click the Activate button at the top right of the Google OAuth page.

12. Troubleshooting Login Issues

If you are having issues authenticating after completing your configuration, please refer to the following guide: Cloud Streaming - Google OAuth Troubleshooting – Swank Motion Pictures, Inc.