Google Single Sign-On (SSO) Setup Steps
Please Note: These steps will need to be are carried out by your Google super administrator. This is an advanced Google administrator process requiring approximately 45 mins to set up.
In order to enable Google Single Sign-On (SSO) for your MyHub site, you will need to go through the following setup stages.
- Stage 1: Configure Google Authentication Provider For MyHub
- Stage 2: Create Service Account And Delegate Domain Authority
- Stage 3: Enter Your Google Authentication Details Into MyHub
- Stage 4: Import Your Users From Google
Stage 1: Configure Google Authentication Provider For MyHub
In order to allow your MyHub instance to work with Google SSO the first stage is configuring a new Google Authentication provider to work with your site. You will need to get your Google administrator to complete all of the following steps in sequence within this stage.
Create A Developer Project
- Step 1: In your browser, go to https://console.developers.google.com - Please note the Google interface options change depending on where you are so you will need to be familiar with the Google APIs interface. MyHub has no control over the Google APIs interface which also changes occasionally.
- Step 2: Near the top, click the project selector drop-down to the right of the Google APIs logo. Then click NEW PROJECT in the top right of the popup
- Step 3: Enter your Project name, and then click the CREATE button
- Step 4: Go back to the Dashboard and select the Project using the project selector drop-down that you have just created, just like step 2, if it hasn't done this automatically. When the popup opens, you just click the project name that you've just created.
The screen should look like this with the project that you previously selected showing at the top. Once you have completed this stage you can move onto the next part of this stage.
Configure The OAuth Consent Screen
- Step 1: In the menu on the left of the screen, click OAuth consent screen
- Step 2: Select the Internal option, then click the CREATE button
- Step 3: Enter "MyHub" into the Application name field
- Step 4: Select the appropriate admin Support email address from the drop-down.
- Step 5: Now you need to scroll down to the bottom of the page to just under where the "Add Scope" button is and enter the following values:
- Authorized domains: Please add myhubintranet.com and if you have a custom domain for your MyHub site also add your custom domain.
- Application Homepage link: Enter the homepage address of your MyHub site in here.
- Step 6: You may fill in the optional information if you wish.
- Step 7: Then click the Save button and move to the next part.
Configure An Application With Google
- Step 1: On the left-hand side, click the Credentials option
- Step 2: Click the CREATE CREDENTIAL menu and select OAuth client ID
Step 3: Select the Web application option from the dropdown
- Step 4: Give your web application a name. for example: use your MyHub site name. Your users will see this name when logging in using Google SSO for the first time.
- Step 6: Under Authorized redirect URIs click the ADD URI button. Enter your MyHub site login address e.g. https://yoursitename.myhubintranet.com/Intranet-Login in this field
- Step 7: Click CREATE once you have entered all of the correct values
- Step 8: Google will now provide you with a Client ID and your Client Secret. Please make sure you copy these values somewhere as you will need them later in the setup process. When you are ready click the OK link.
- Step 9: Click Library in the left-hand menu
- Step 10: Search for Admin SDK within the search box
- Select the Admin SDK search result
- Step 11: Click the ENABLE button.
Stage 2: Create Service Account And Delegate Domain Authority
Once you have completed stage 1, you will be able to continue to stage 2 which involves a number of separate steps as follows. These steps are a simplified version of the Google instructions available at https://developers.google.com/identity/protocols/OAuth2ServiceAccount?hl=en_US#creatinganaccount that we have listed for you to below:
- Step 1: Go to https://console.developers.google.com/iam-admin/serviceaccounts and select the appropriate project you have just created in the previous steps. There are multiple ways to do this from this page, either select it from your recent projects or click the SELECT PROJECT link and then click the relevant project.
Step 2: Click the CREATE SERVICE ACCOUNT link at the top of the page
- Step 3: On the first Create service account page enter a Service account name and a Service account description, then click CREATE
- Step 4: Click CANCEL on the Service account permissions page
- Step 5: Click the three dots next to the Service account you've just created and then select Edit from the Actions drop-down list
- Step 6: Click the SHOW DOMAIN-WIDE DELEGATION link and then check the Enable G Suite Domain-wide Delegation checkbox
- Step 7: Click the + CREATE KEY button and then select the P12 option followed by clicking the CREATE button. The Private Key P12 file will then be saved to your computer, store this and copy the password to a safe place before then clicking the CLOSE button. Please note, you don't need the password for this setup process but it is sensible to keep this in safe place in case you need it in the future.
- Step 8: Ensure that when you go back to the previous Edit screen you copy and paste the Email and the Unique ID values somewhere before you click the SAVE button. The Email value is the Service Account ID that we will use later on to configure on your MyHub site. The Unique ID is the value we will be entering into the Client ID field only in the next step. Please note this is different to the Client ID value captured when you created your project credentials earlier, we'll be using the earlier Client ID value in the final setup stage within MyHub.
Set Up Domain-wide Delegation For A Client
Once you have complete the Domain-wide delegation steps and the service account steps above, an administrator of your G Suite domain must complete the following steps:
- Step 1: Go to your Google admin console https://admin.google.com
- Step 2: Navigate to the Security Page and select API Permission (API Controls)
- Step 3: Under Domain wide delegation, click MANAGE DOMAIN WIDE DELEGATION
- Step 4: On the Manage domain-wide delegation page, click Add new.
Step 5: Enter the Unique ID value (See step 9 above) into the Client ID field
Step 6: In the OAuth scopes field, enter the value https://www.googleapis.com/auth/admin.directory.user.readonly
Step 7: Then click AUTHORIZE
Stage 3: Enter Your Google Authentication Details Into MyHub
Once you have fully completed stages 1 and 2, you will need to go to the Admin > Site Settings area in your MyHub Site and enter the following information that you have collected in previous steps and then click the Update button:
- Your Input Client ID and Client Secret from Stage 1 > Step 8 under the Configure An Application With Google section above
- Your Google Adminstrator Email Address
Google Domain Address (lower case only) e.g. yourcompanyname.com
- Your Google Service Account Email from Stage 2: Enable API Access And Delegate Domain Authority > Step 8 above
- You Google Private Key File from Stage 2: Enable API Access And Delegate Domain Authority > Step 7 above
- Ensure that your company email domain does not contain capital letters
Stage 4: Import Your Users From Google
Once you have completed the previous stages you should be able to import all of your Google users into MyHub using the "Import Google Users" button function within the "Add & Manage Users" administration area on your MyHub site.
Please note, after you have performed your initial import of users from Google, if you add new users to Google you will need to re-run the "Import Google Users" function again to add the additional users to your MyHub site. The existing users within MyHub will not be affected by this operation. If you delete users from Google you will need to delete the relevant MyHub users using the "Delete Selected Users" functionality within the "Add & Manage Users" administration area or you can delete them individually.
Tip: To update your MyHub users, for example, to assign roles to them, you can use the CSV import/export functionality after you have performed the initial or subsequent import of users from Google.