Note: GSuite users are strongly advised to use SAML authentication instead of OAuth wherever possible. SAML configurations are faster, simpler, more powerful and less brittle.
Step 1 Enable API access
- Login to your G Suite admin console at https://admin.google.com as an administrator
- Familiarize yourself with granting OAuth access to your G Suite implementation. You may find this Google documentation useful:
https://support.google.com/a/answer/7281227 - Ensure that Swank will have read access to the Admin SDK, Directory API, Users endpoint.
Step 2 Create a new role
- Go to the admin roles: Click on the main menu (image below) > Account> Admin roles
- Click CREATE A NEW ROLE
- Name the new role S3APIand click Continue
- You will see a screen where you can assign privileges. Assign the following privileges by checking the appropriate boxes:
- Admin Console Privileges > Organizational Units > Read
- Admin Console Privileges > Users > Read
- Admin API Privileges > Organizational Units > Read
- Admin API Privileges > Users > Read
- Admin API Privileges > Groups > Read
- Admin API Privileges > Schema Management > Schema Read
- Click Continue
- Click Create Role
Step 3 Create user for G Suite admin account
- Go to the user list: Click on the main menu (image below) > Directory> Users
- Add a new user named gsuite s3api
- Click Add new user
- First name: gsuite
- Last name: s3api
- Primary email: gsuites3api
- Click Manage user’s password, organizational unit, and profile photo
- Click Create password
- Create a password of your choice. We will not need this password, only the user's email.
- Be sure to deselect Ask for a password change at the next sign-in
- Click ADD NEW USER
Step 4 Assign the S3API role to the new user
- Go to the user list: Click on the main menu (image below) > Directory > Users
- Locate user gsuite s3api and click on that username. You will see user information, security, groups, admin roles and privileges, etc. for this user.
- Locate the Admin roles and privileges section and click ASSIGN ROLES
- Assign the S3API role and click SAVE
Step 5 Create a project for Streaming Server integration into Google G Suite
- Go to https://console.cloud.google.com/cloud-resource-manager
- Click CREATE PROJECT
- Enter the project name Swank Streaming Server and select your location / organization.
Step 6 Enable Admin SDK
- Go to API Library https://console.cloud.google.com/apis/library
- Search for Admin SDK
- Admin SDK API allows administrators of enterprise domains to view and manage resources like user, groups etc. It also provides audit and usage reports of domain.
- Select Admin SDK API
- Click Enable
Step 7 Create a service account
- Go to the API & Services Dashboard at https://console.cloud.google.com/apis/
- Make sure that the Swank Streaming Server project is selected
- Click Credentials on the left navigation menu
- Click Create credentials and select Service account key
- Enter OAuthForStreamingServeras the service account name and click Create and Continue
- Click Select a role > Service Accounts >Service Account User
- Note: This step is not optional and is required for our streaming server.
- Click Continue
- Click Done
Step 8 Update the service account
- Make sure you are still on https://console.cloud.google.com
- Click on the Main Navigation Menu > APIs & Services > OAuth consent screen
- For Application name enter Swank Streaming Server
- User support email should be your local support group
- Developer contact information should also be your local support group
- Click Save and Continue
- No changes under Scopes, click Save and Continue
- No changes under Optional info, click Save and Continue
- Click Back to Dashboard under Summary
- Click Credentials on the left navigation menu
- You will see a screen with sections API Keys, OAuth 2.0 Client IDs and Service Accounts
- In the Service Accounts section, click on the pencil icon to edit the newly created service account OAuthForStreamingServer
- Under the Keys section click Add Key > Create new key
- Key type should be JSON
- Click Create and save that "JSON" file. You will need this to import into the Swank admin portal.
- This will create a file that you will need later to configure the Streaming Server. Save this file and reserve this for Step 10
- Under the Details tab select Show Advanced Settings.
- Click Create Google Workspace Marketplace-Compatible OAuth Client
- Click Credentials on the left navigation menu
- Under the OAuth 2.0 Client IDs, click the copy icon under the Client ID column. You will need it in the next steps.
Step 9 Manage API client access
- Go to https://admin.google.com/ac/owl/domainwidedelegation
- Click the "Add new" button that appears at the top of the page
- Enter the Client/Unique ID number that was copied in step 8.17
- For the OAuth scopes field enter the following URL string exactly - https://www.googleapis.com/auth/admin.directory.user.readonly
- Click Authorize
Step 10 Configure your Digital Campus portal
- Navigate to your Digital Campus portal administrative page
- Select the "Google OAuth" area in the left-hand panel
- Upload Service Account Credentials (JSON file saved in previous step)
- From step 8.10.1.
- Enter the name of your G Suite admin account (including the domain) in the "G Suite Admin Account" field.
- This is the name of the account as created in step 3.2.4
- Example: gsuites3api@schoolname.edu
- Enter a list of any Organizational Units that will require elevated privileges to your portal in the "Manage Authorization Roles" area.
- NOTE: You will want to enter the immediate parent OU of the users who will need elevated privileges.
- For example, if a teacher resides in an OU hierarchy such as:
-
- School Name
- Staff
-TeacherYou would need to enter the "Teacher" OU, not "Staff" or "School Name."
-
- Each OU that requires elevated privileges will need to be mapped to a role.
- Teachers and faculty should be mapped to the Instructor role.
- Administrators can optionally be mapped to the Admin role.
- K-12 students will be automatically given the Basic role and do not need to be mapped to a role.
- College or university students will be automatically given the User role and do not need to be mapped to a role.
- For each organizational unit that contains users who need elevated privileges to the Streaming Server:
- Enter the name of that organizational unit in the Manage Authorization Roles area on your streaming portal.
- Enter the name of that organizational unit in the Manage Authorization Roles area on your streaming portal.
-
- To review your current Organizational Unit hierarchy go to: https://admin.google.com
- Click on the left navigation menu > Directory > Organizational Units
- You will see a hierarchical list of your organizational units.
Comments
0 comments
Article is closed for comments.