Introduction

This article shows you how to connect Google Workspace to the Astrato enterprise authentication function.

Contents

Setup Information

Google Workspace - Checklist, Project, Google OAuth Consent Screen, Credentials, Enable API

Astrato - Checklist, Setup, One More Step Required, Delete

SSO Login

Enterprise Authentication Articles

Setup Information

There are several stages to the setup process, so we've listed them here for you. In the instructions for each stage we've included a Checklist listing any information you need to enter, and any information you'll need to collect to complete the setup.

  • Google Workspace - The setup begins in the Google Cloud Console, where you'll need to create or open a Project, add a Google OAuth consent screen for authorization, create authorization Credentials and enable APIs you need to use.

  • Astrato - The set up to integrate with Astrato is managed in the Google Workspace Setup page in the Enterprise Authentication section of the Administration pages. You'll need to enter a Connection Name, Workspace Name, Client ID and Client Secret.

Back to Top

Google Workspace

Checklist

  • Access to the Google Cloud Console for your organization.

  • Your organization name and location.

  • App links - home page, domain, privacy policy, terms of service, authorization provider.

  • The Sign out redirect URI and Scopes listed in the Setup page for Google Workspace in Astrato. You'll also need the browser request authentication URL.

Project

  1. In the top bar of the console, click Select a Project to open the project screen (Figure 1).

  2. If you're working from an existing project, select it and click Open.

  3. If you need to work from a new project, click New Project, then enter a project name, and select your organization and location, then click Create.

    Important: The project name and organization cannot be changed.

  4. When the project opens or is created, you'll be taken to the project Dashboard. Click on Go to project settings to start the next stage.

Figure 1: Project

Back to Top

Google OAuth Consent Screen

Note: You'll have to create a separate consent screen for each project. If you need any more information on the consent screen, use the Learn panel on the right.

  1. In the project settings (Figure 2), open the navigation menu (the top left button in the screen).

  2. Click on APIs and Services

  3. Select OAuth Consent Screen from the dropdown.

  4. Select Internal as the User Type.

  5. Click Create to open the next screen.

Figure 2: Consent Screen

For the next stage of the setup, you'll need to enter information about your App Information and App Domain (Figure 3). The Learn panel in this section will show you a preview of your consent screen.

  1. In App information, enter the URL App name requesting Google account access (remember to include https or you'll return an error).

  2. Select the User support email you want to use as a point of contact.

  3. Choose an App Logo if you need one.

  4. In App Domain, enter the Application home page, Application privacy policy link and Application terms of service link (see checklist).

  5. In Authorized domains, enter the domains for your app and your authorization provider (see Checklist).

  6. Add any Developer contact information you need.

Figure 3: App Information, App Domain

When you've enter all the information, click Save and Continue to move to the Scopes screen (Figure 4).

  1. Click the Add or Remove Scopes to open the search screen, search for openid, then add it to the configuration. Repeat the search for email and profile (see Checklist).

  2. Click Save and Continue when the scopes have been added and open the Summary page. Click Back to Dashboard to move to the next stage.

Figure 4: Scopes

Back to Top

Credentials

Now you can generate the credentials you need for integrating enterprise authentication (Figure 5).

  1. In the dashboard, select APIs & Services, then click Credentials.

  2. Select OAuth client ID from the Create Credentials dropdown.

  3. Select Web application as an Application type, and enter a Name.

  4. In Authorized JavaScript origins, leave the field blank as it isn't required for the setup.

  5. In Authorized redirect URIs, enter the Sign in redirect URI from the Setup page (see Checklist).

  6. Once you've completed the form click Create to generate the Client ID and Client secret. Make a note of the the client ID and client secret for the next part of the setup (they're stored in the right corner of the Credentials screen as well).

  7. Click OK to close the screen.

Figure 5: Credentials

Back to Top

Enable API

The final stage of the Google Cloud Console setup is to register the Google APIs you need for the integration (Figure 6).

  1. In the dashboard select APIs & Services

  2. Choose Library from the dropdown.

  3. When the library screen opens, search for Google Drive.

  4. Click Enable to register the API. When the process completes you'll see a confirmation screen.

  5. Repeat steps 3 and 4 for the Google Sheets API.

Figure 6: Register API

The setup in Google Cloud is now complete. Make a note of the Google Workspace domain, Client ID and Client secret if you haven't already.

Back to Top

Astrato

Checklist

  • Your Google Workspace domain name.

  • The Client ID and Client Secret created in the Google Cloud Console

Setup Page

  • Login to the Astrato site.

  • Navigate to the Google Workspace integration page using

    Administration > Enterprise Authentication > Google Workspace (Figure 7).

Figure 7: Google Workspace

Open the Setup page (Figure 8), and enter the configuration information:

  1. Connection name - this should be unique.

  2. Google Workspace domain - this should match the domain you entered in the project settings.

  3. Client ID - enter the value generated in Google cloud.

  4. Client secret - enter the value generated in Google cloud.

  5. Click Create to save the setup details. You should receive a confirmation that the connection has been enabled.

Figure 8: Astrato Set Up

Back to Top

One More Step Required

You'll see the One more step required button appear in the top of the configuration screen (Figure 9). When the account screen opens, click to select the account you want to use. If the authorization is successful you'll be taken to the confirmation screen. Close the window to return to the workspace.

Figure 9: One More Step Required

Back to Top

Delete

If you need to delete the connection, go to the bottom of the page, click Delete and confirm the deletion when the pop up opens (Figure 10). Once the connection has been deleted, you'll see the Connect option appear again.

Figure 10: Delete Connection

Back to Top

SSO Login

Once the connection setup is complete, your users will have to login to Astrato using the SSO Screen. Any logins from other locations (e.g. LinkedIn) will return an error.

Back to Top

Enterprise Authentication Articles

You can find articles on enterprise authentication in the Administration articles collection, including an Introduction and setup articles for other integrations.

Back to Top

Did this answer your question?