This article shows you how to connect Google Workspace to the Astrato enterprise authentication function.
There are several stages to the setup process, so we've listed them here for you. In the instructions for each stage we've included a Checklist listing any information you need to enter, and any information you'll need to collect to complete the setup.
Google Workspace - The setup begins in the Google Cloud Console, where you'll need to create or open a Project, add a Google OAuth consent screen for authorization, create authorization Credentials and enable APIs you need to use.
Astrato - The set up to integrate with Astrato is managed in the Google Workspace Setup page in the Enterprise Authentication section of the Administration pages. You'll need to enter a Connection Name, Workspace Name, Client ID and Client Secret.
Access to the Google Cloud Console for your organization.
Your organization name and location.
The Sign out redirect URI and Scopes listed in the Setup page for Google Workspace in Astrato. You'll also need the browser request authentication URL.
In the top bar of the console, click Select a Project to open the project screen (Figure 1).
If you're working from an existing project, select it and click Open.
If you need to work from a new project, click New Project, then enter a project name, and select your organization and location, then click Create.
Important: The project name and organization cannot be changed.
When the project opens or is created, you'll be taken to the project Dashboard. Click on Go to project settings to start the next stage.
Figure 1: Project
Google OAuth Consent Screen
Note: You'll have to create a separate consent screen for each project. If you need any more information on the consent screen, use the Learn panel on the right.
In the project settings (Figure 2), open the navigation menu (the top left button in the screen).
Click on APIs and Services
Select OAuth Consent Screen from the dropdown.
Select Internal as the User Type.
Click Create to open the next screen.
Figure 2: Consent Screen
For the next stage of the setup, you'll need to enter information about your App Information and App Domain (Figure 3). The Learn panel in this section will show you a preview of your consent screen.
In App information, enter the URL App name requesting Google account access (remember to include https or you'll return an error).
Select the User support email you want to use as a point of contact.
Choose an App Logo if you need one.
In Authorized domains, enter the domains for your app and your authorization provider (see Checklist).
Add any Developer contact information you need.
Figure 3: App Information, App Domain
When you've enter all the information, click Save and Continue to move to the Scopes screen (Figure 4).
Click the Add or Remove Scopes to open the search screen, search for openid, then add it to the configuration. Repeat the search for email and profile (see Checklist).
Click Save and Continue when the scopes have been added and open the Summary page. Click Back to Dashboard to move to the next stage.
Figure 4: Scopes
Now you can generate the credentials you need for integrating enterprise authentication (Figure 5).
In the dashboard, select APIs & Services, then click Credentials.
Select OAuth client ID from the Create Credentials dropdown.
Select Web application as an Application type, and enter a Name.
In Authorized redirect URIs, enter the Sign in redirect URI from the Setup page (see Checklist).
Once you've completed the form click Create to generate the Client ID and Client secret. Make a note of the the client ID and client secret for the next part of the setup (they're stored in the right corner of the Credentials screen as well).
Click OK to close the screen.
Figure 5: Credentials
The final stage of the Google Cloud Console setup is to register the Google APIs you need for the integration (Figure 6).
In the dashboard select APIs & Services
Choose Library from the dropdown.
When the library screen opens, search for Google Drive.
Click Enable to register the API. When the process completes you'll see a confirmation screen.
Repeat steps 3 and 4 for the Google Sheets API.
Figure 6: Register API
The setup in Google Cloud is now complete. Make a note of the Google Workspace domain, Client ID and Client secret if you haven't already.
Your Google Workspace domain name.
The Client ID and Client Secret created in the Google Cloud Console
Login to the Astrato site.
Navigate to the Google Workspace integration page using
Administration > Enterprise Authentication > Google Workspace (Figure 7).
Figure 7: Google Workspace
Open the Setup page (Figure 8), and enter the configuration information:
Connection name - this should be unique.
Google Workspace domain - this should match the domain you entered in the project settings.
Client ID - enter the value generated in Google cloud.
Client secret - enter the value generated in Google cloud.
Click Create to save the setup details. You should receive a confirmation that the connection has been enabled.
Figure 8: Astrato Set Up
One More Step Required
You'll see the One more step required button appear in the top of the configuration screen (Figure 9). When the account screen opens, click to select the account you want to use. If the authorization is successful you'll be taken to the confirmation screen. Close the window to return to the workspace.
Figure 9: One More Step Required
If you need to delete the connection, go to the bottom of the page, click Delete and confirm the deletion when the pop up opens (Figure 10). Once the connection has been deleted, you'll see the Connect option appear again.
Figure 10: Delete Connection
Once the connection setup is complete, your users will have to login to Astrato using the SSO Screen. Any logins from other locations (e.g. LinkedIn) will return an error.