Google Single Sign-On (SSO) Setup Steps
Please Note: These steps will need to be are carried out by your Google super administrator.
In order to enable Google Single Sign-On (SSO) for your MyHub site, you will need to go through the following setup stages.
- Stage 1: Configure Google Authentication Provider For MyHub
- Stage 2: Enable API Access And Delegate Domain Authority
- Stage 3: Enter Your Google Authentication Details Into MyHub
- Stage 4: Import Your Users From Google
Stage 1: Configure Google Authentication Provider For MyHub
In order to allow your MyHub instance to work with Google SSO the first stage is configuring a new Google Authentication provider to work with your site. You will need to get your Google administrator to complete all of the following steps in sequence within this stage.
Create A Developer Project
- Step 1: In your browser, go to https://console.developers.google.com - Please note the Google interface options change depending on where you are so you will need to be familiar with the Google APIs interface.
- Step 2: Near the top, click Select a project and click Create project
- Step 3: Enter your Project name, and click Create
Configure The OAuth Consent Screen
- Step 1: On the left-hand side, click APIs & auth to expand the menu, then click Credentials
- Step 2: At the top of the screen, click OAuth consent screen
- Step 3: Enter your product/project name in the Product name field, this is the only required field. You may fill in the optional information if you wish.
- Step 4: Click Save
Configure An Application With Google
- Step 1: On the left-hand side, click APIs & auth to expand the menu, then click Credentials (note: just click Credentials if you are already in the console from the previous step)
- Step 2: Click the Create credentials drop down, and select OAuth client ID
- Step 3: Select Web application
- Step 4: Give your web application a name. (ex: use your MyHub site name. Users will see this name when logging in with Google for the first time)
- Step 6: Provide the Authorized redirect URIs (This is your login page, such as https://demo.myhubintranet.com/Intranet-Login)
- Step 7: Click Create
- Step 8: Google will now provide you with a client ID and your client secret. Copy these down, as we will need them in the next part. An example is shown below.
- Step 9: Click Library and search for Admin SDK, then click Admin SDK
- Then click the ENABLE button.
Stage 2: Enable API Access And Delegate Domain Authority
Once you have completed stage 1, you will be able to continue to stage 2 which involves two separate steps as follows.
- Step 1: Enable API access in the Google Admin console by following the instruction available at https://support.google.c om/a/answer/60757
- Step 2: Create a service account, first review the instructions available at https://developers.google.com/identity/protocols/OAuth2ServiceAccount?hl=en_US#creatinganaccount. We've also listed the steps below.
- Step 3: Select the appropriate project you have just created from the previous steps.
- Step 4: Click the Create service account button
- Step 5: In the Create service account window, type a name for the service account, and select Furnish a new private key. If you want to grant G Suite domain-wide authority to the service account, also select Enable G Suite Domain-wide Delegation. Then click Create. Please note you will need to select the option to grant G Suite domain-wide authority to the service account mentioned. Important note: Please select the P12 file option. The Create service account will look similar to the following.
- Step 6: The P12 file will be downloaded to your computer, please also note down the private key's pass for future reference. Then click Close.
- Step 7: Delegating domain-wide authority to the service account created by following the instruction available at https://developers.google.com/identity/protocols/OAuth2ServiceAccount?hl=en_US#delegatingauthority. Please note you will need to use the Client ID for the service account which is different to the previous one mentioned. You can get this from the Service account page shown in the examples below, you will also need to copy get the email address for the service account:
- Enter the Service account Client ID in the Client Name field and the following scope value in the One or More API Scopes field, then click the Authorize button:
Stage 3: Enter Your Google Authentication Details Into MyHub
Once you have fully completed stage 1 and 2, you will need to go to the Admin > Site Settings area in your MyHub Site and enter the following information that you have collected in previous steps and then click the Update button:
- Your Input Client ID and Client Secret from Stage 1 > Step 8
- Your Google Admin Email Address
Google Domain Address (lower case only)
- Your Google Service Account Email from Stage 2 > Step 7
- You Google Private Key File from stage 2, step 2/3
- Ensure that your company email domain does not contain capital letters
Stage 4: Import Your Users From Google
Once you have completed the previous stages you should be able to import all of your Google users into MyHub using the "Import Google Users" button function within the "Add & Manage Users" administration area on your MyHub site.
Please note, after you have performed your initial import of users from Google, if you add new users to Google you will need to re-run the "Import Google Users" function again to add the additional users to your MyHub site. The existing users within MyHub will not be affected by this operation. If you delete users from Google you will need to delete the relevant MyHub users using the "Delete Selected Users" functionality within the "Add & Manage Users" administration area or you can delete them individually. New users imported from Google will be prefixed with "Google-"
Tip: To update your MyHub users, for example, to assign roles to them, you can use the CSV import/export functionality after you have performed the initial or subsequent import of users from Google.