Google Directory Integration
The Google Directory integration requires a service account in order to read data from your GSuite directory. This will allow your GSuite users and groups to be searched for and added into the Planet eStream permissions structure.
To set up the Integration on Google
- Give your project a name and click create.
- Go into your new project and open the navigation menu. From here, select ‘APIs & Services’.
- From the top of the page, select ‘Enable APIs and Services’.
- Search for ‘Admin SDK’, select and enable this. This will redirect you to the overview page for this API.
- Select ‘Credentials’ from the left hand side.
If you haven’t already, you will need to configure the OAuth Consent Screen at this stage. Help for this can be found at: https://support.google.com/cloud/answer/6158849?hl=en
- From the top of the credentials page, select ‘Create Credentials’ > ‘Service Account’.
- Give your service account a name, ID and description and click ‘Create’.
- On the next page, for the role, select ‘Project’ > ‘Owner’ from the dropdown and continue.
- Nothing needs to be entered under the ‘Grant users access to this service account’ section.
- Select ‘Create Key’ and choose the JSON format. This will download a file. Keep this to hand as it will be needed later.
- Close the popup and select ‘Done’. This will take you back to the credentials page.
- For your newly created service account, click the pencil tool.
- Make a copy of the ‘Unique ID’ field. This will be needed later.
- Show the ‘Domain-Wide Delegation’ option and enable this.
- Navigate back to the credentials page, go to ‘Create Credentials’, again at the top of the page, but this time select ‘OAuth Client ID’.
- For application type, choose ‘Web Application’.
- Click ‘Create’. This will show you a popup with your Client ID and Client Secret. Only the Client ID is needed. Make a copy of this.
The next part of the setup will be done in the GSuite admin console.
- Login to https://admin.google.com with your administrator credentials.
- From the dashboard, go to ‘Security’. Under the ‘Advanced Settings’ section, go to ‘Manage API client access’.
- In the ‘Client Name’ field, enter this Unique ID of the service account you created. This is a string of numbers containing no letters.
- In the ‘One or More API Scopes Field’, authorize the following entry:
The final part of the setup will be done on your Planet eStream site.
From the above steps you should have the following:
- Service Account Email Address (ending in ‘.iam.gserviceaccount.com’)
- JSON key file
- OAuth Client ID
On your Planet eStream Site;
- Login to your Planet eStream site as an administrator and go to Tools > Admin > External Integrations and Services.
- Scroll down to the ‘Google Services Integration’ section.
- Google Service Account: This is your service account email address.
- Impersonation Account: This can be a GSuite admin account, or a custom user with permission to read Organizational Units, Groups, and Users.
- Service Key File: This is the JSON key file downloaded in the above steps.
- GSuite Domain: Your domain
- Google Client ID: This is the OAuth Client ID.
- Once you have entered these details, click ‘Update Google Settings’.
- Navigate to Tools > Admin > Authentication Options.
- Under the ‘Login Page Options’ section, enable the Google Login.
- It is also recommended to allow a domain account to access the Planet eStream Tools > Admin area. To do this, within the same ‘Authentication Options’ page, scroll down to the ‘Domain Users Administration List’ section. In this box, enter a comma separated list of email addresses of users who should be able to access the admin area.
This completes the setup. At this stage, contact Planet eStream support in order to push all changes through.