Google Single Sign-On (SSO) Setup Steps
Please Note: These steps will need to be are carried out by your Google super administrator. This is an advanced Google administrator process requiring approximately 45 mins to set up.
In order to enable Google Single Sign-On (SSO) for your MyHub site, you will need to go through the following setup stages.
- Stage 1: Configure Google Authentication Provider For MyHub
- Stage 2: Enable API Access And Delegate Domain Authority
- Stage 3: Enter Your Google Authentication Details Into MyHub
- Stage 4: Import Your Users From Google
Stage 1: Configure Google Authentication Provider For MyHub
In order to allow your MyHub instance to work with Google SSO the first stage is configuring a new Google Authentication provider to work with your site. You will need to get your Google administrator to complete all of the following steps in sequence within this stage.
Create A Developer Project
- Step 1: In your browser, go to https://console.developers.google.com - Please note the Google interface options change depending on where you are so you will need to be familiar with the Google APIs interface. MyHub has no control over the Google APIs interface which also changes occasionally.
- Step 2: Near the top, click the three dots or the project selector drop-down to the right of the Google APIs logo and click NEW PROJECT in the top right of the popup
- Step 3: Enter your Project name, and then click the CREATE button
- Step 4: Go back to the Dashboard and select the Project using the project selector drop-down that you have just created if it hasn't done this automatically. When the popup opens, you just click the project name that you've just created.
Configure The OAuth Consent Screen
- Step 1: On the left-hand side, click APIs & auth to expand the menu, then click Credentials
- Step 2: At the top of the screen, click OAuth consent screen
- Step 3: Select the Internal Application type option and then input MyHub into the Application name field
- Step 4: Select the appropriate admin Support email address from the drop-down.
- Step 5: Now you need to scroll down to the bottom of the page and enter the following values:
- Authorized domains: Please add myhubintranet.com and if you have a custom domain for your MyHub site also add your custom domain.
- Application Homepage link: Enter the homepage address of your MyHub site in here.
- Step 6: You may fill in the optional information if you wish.
- Step 7: Then click the Save button.
Configure An Application With Google
- Step 1: On the left-hand side, click APIs & Services to expand the menu, then click Credentials (note: just click Credentials if you are already in the console from the previous step)
- Step 2: Click the Create credentials drop-down, and select OAuth client ID
- Step 3: Select Web application
- Step 4: Give your web application a name. (example: use your MyHub site name. Users will see this name when logging in with Google for the first time)
- Step 6: Provide the Authorized redirect URIs (This is your login page, such as https://demo.myhubintranet.com/Intranet-Login)
- Step 7: Click Create
- Step 8: Google will now provide you with a client ID and your client secret. Copy these down, as we will need them in the next part. An example is shown below.
- Step 9: Click Library and search for Admin SDK, then click Admin SDK
- Then click the ENABLE button.
Stage 2: Enable API Access And Delegate Domain Authority
Once you have completed stage 1, you will be able to continue to stage 2 which involves two separate steps as follows.
- Step 1: Enable API access in the Google Admin console by following the instruction available at https://support.google.c om/a/answer/60757, follow the link provided, log in if needed, then navigate to the Security area an look for the API reference section:
- Step 2: Create a service account, first review the instructions available at https://developers.google.com/identity/protocols/OAuth2ServiceAccount?hl=en_US#creatinganaccount. We've also listed the steps below.
- Step 3: Go back to https://console.developers.google.com/iam-admin/serviceaccounts and select the appropriate project you have just created in the previous steps.
- Step 4: Click the + CREATE SERVICE ACCOUNT link at the top of page:
- Step 5: On the first Create service account page enter a Service account name and a Service account description, then click CREATE then click CANCEL
- Step 6: Select Edit from the Actions drop-down list against the service account you just created
- Step 7: Click the SHOW DOMAIN-WIDE DELEGATION link and then check the Enable G Suite Domain-wide Delegation checkbox
- Step 8: Click the +CREATE KEY button and then select the P12 option followed by clicking the CREATE button. The Private Key P12 file will then be saved to your computer, store this and the password safe place before clicking the CLOSE button.
- Step 9: Ensure that when you go back to the previous Edit screen you note down the Email value before you click the SAVE button. The Email value is the Service Account ID that we will use later on to configure MyHub.
- Step 10: Once you have created and enabled domain-wide delegation for an existing service account, then, an administrator of your G Suite domain must complete the 1 to 7 steps shown over at https://developers.google.com/identity/protocols/OAuth2ServiceAccount?hl=en_US#delegatingauthority. In steps 5 and 6 enter the Service account Unique ID in the Client Name field.
- Step 11: Then add following scope value https://www.googleapis.com/auth/admin.directory.user.readonly in the One or More API Scopes field, then click the Authorize button
Stage 3: Enter Your Google Authentication Details Into MyHub
Once you have fully completed stage 1 and 2, you will need to go to the Admin > Site Settings area in your MyHub Site and enter the following information that you have collected in previous steps and then click the Update button:
- Your Input Client ID and Client Secret from Stage 1 > Step 8 under the Configure An Application With Google section above
- Your Google Admin Email Address
Google Domain Address (lower case only) e.g. yourcompanyname.com
- Your Google Service Account Email from Stage 2: Enable API Access And Delegate Domain Authority > Step 9 above
- You Google Private Key File from Stage 2: Enable API Access And Delegate Domain Authority > Step 9 above
- Ensure that your company email domain does not contain capital letters
Stage 4: Import Your Users From Google
Once you have completed the previous stages you should be able to import all of your Google users into MyHub using the "Import Google Users" button function within the "Add & Manage Users" administration area on your MyHub site.
Please note, after you have performed your initial import of users from Google, if you add new users to Google you will need to re-run the "Import Google Users" function again to add the additional users to your MyHub site. The existing users within MyHub will not be affected by this operation. If you delete users from Google you will need to delete the relevant MyHub users using the "Delete Selected Users" functionality within the "Add & Manage Users" administration area or you can delete them individually. New users imported from Google will be prefixed with "Google-"
Tip: To update your MyHub users, for example, to assign roles to them, you can use the CSV import/export functionality after you have performed the initial or subsequent import of users from Google.