Integrate Google into your Peig Workspace

Setup Google Workspace for User Provisioning

For the role: Company administrative employee

Prerequisites:

• To be Google Workspace Super Admin,
• To know the URL address of Peig Workspace (e.g. https://pap01.company.org/)

1. Initialize Admin SDK API to access user provisioning features on Google cloud console.

• Open https://console.cloud.google.com/ and sign in with Super Admin Google Account.

2. Select the country and agree with Terms of Service

3. Click on (drop down) “Select a Project”

4. Click on the “New project” option and fill new project info

• Project name = Peig Access Platform
• Organization = choose, e.g. <rvsd.org>
• Location = <rvsd.org>

Note: It can takes several minutes to be able to create a new project - probably due to Google synchronization delays.

5. Choose your newly created project (Peig Access Platform) and setup OAuth on it

6. Choose Menu > API Services > OAuth consent screen

7. Choose “Internal” option

• Internal > click Create

8. Fill all required information

• App name = Peig Access Platform
• User support email = <choose from the drop down list>

9. Check Scopes – no change needed

10. Check Summary – no change needed

11. Return back to Peig Access Platform Dashboard and create new credentials

12. Click on “Create credentials” option and select “OAuth client ID”

13. Select “Web application” option

14. Fill in credential info and click „Create“

• „Name“ = Web client 1
• “Authorized JavaScript origins” = <https://[pap-hostname]>, (where [pap-hostname] is hostname your Peig workspace – e.g. pap01.company.com)
• “Authorized redirect URIs” = https://[pap-hostname]/aducid-manage-resource/authGoogleCallback (it´s your workspace hostname with Resource Manager application path)

15. Now you have credentials created - copy and remember them

You can also download credentials in JSON format.

16. Activate Admin SDK API to remotely access user provisioning operations

• Open https://console.cloud.google.com/marketplace/product/google/admin.googleapis.com from your browser and click on the „Enable“ button.

17. You will be redirected to the “Admin SDK API” homepage in our project, like this one.

That’s it. Google Workspace setup for User Provisioning is complete!

Setup Google Workspace SSO Organization Profile

For the role: Company administrative employee

Prerequisites:

• To be Google workspace Super Admin
• To know the URL address of Peig Workspace (e.g. https://pap01.company.org/)

1. First log in to your Google Workspace account as a Super Admin

• You will see your Google Workspace homepage,
• Click on “Show more” button on the left side to see advanced configuration options.

2. Select Security > SSO with third party IDP option

3. On the page for external (third-party) IdP configuration, click on “Add SSO profile” link

4. Fill in the SSO profile form with values:

• „Sign-in page URL” = https://[pap-hostname]/idp/profile/SAML2/Redirect/SSO
• „Sign-out page URL” = https://[pap-hostname]/idp/profile/Logout, where [pap-hostname] is hostname your Peig Workspace – g. pap01.company.com
• “Upload certificate”
• Click on “Save” button

5. Check “Set up SSO with third-party identity provider“

• Menu > Security > Authentication > SSO with third party IdP

That’s it. Creation of Google Workspace SSO Organization Profile is complete!

Setup Google Workspace for the Onboarding scenario

For the role: Company administrative employee

Prerequisites:

• To be Google workspace Super Admin
• To know the URL address of Peig Platform Workspace (e.g. https://pap01.company.org/)

The goal is to check if the user exists in Google Workspace. After the successful user authentication based on Google username/password, the user is onboarded to the Peig platform.

You need to create a new SAML application on Google Workspace and a new group where users will utilize only our SSO federation when logging in.

1. Open Admin Console for your Google Workspace and login as Super Admin

• Menu > Apps > Overview
• Choose Web and mobile apps

2. Choose “Add custom SAML apps”

3. Fill the form with the name of new SAML application

• App name = PEIG SAML

4. On next page we get the info about created SAML SP

From the page of SP App we will remember SAML parameters for later JSON configuration:

• „SSO URL“ - in JSON config this param. is named like „idpSSOURL“
• „Entity ID“- in JSON config this param. is named like „idpEntityID“
• „Certificate“- in JSON config this param. is named like „idpCertificate“.
• Remember, that the Certificate MUST be formatted only in „one-line format“, without blank characters.

5. Fill in the details of the Service Provider

• “ACS URL“ = https://[pap-hostname]/aducid-onboard/google/acs
• „Entity ID“ = https://[pap-hostname]/aducid-onboard/google/metadata

6. Click “Continue”,  and then “Finish”

7. Setup the “User access” for this SAML App

• On the panel with SAML App > User access > click „Expand User access“.

8. Change service status to ON for everyone

• Choose “ON for everyone” and click the „SAVE“ button.

9. Get SAML App URL parameter – “AppURL”

• In the Google navigation bar, right-click on “Google App”.
• Copy and remember this link address as an “AppURL” JSON parameter, which can look like this:

https://accounts.google.com/o/saml2/initsso?idpid=XXX&spid=XXX&forceauthn=false

10. Create the Google group for users with SSO authentication

• Open Groups in Google Workspace Console.
• Click „Create group“

11. Fill in the Group information

• „Group name“ = PEIG
• „Group email“ = <e.g. peig@peig.rvsd.org>
• Click „Next“

12. Keep the default group setting

• Click the „Create Group“

13. Remember the group email address

• PEIG Group email address represents in the JSON file a "groupKey".

14. Start SSO authentication only for users in PEIG group

• In Admin Console Menu choose Security > Authentication > SSO with third-party IdP.
• Open „Manage SSO profile assignments“ configuration section.

15. Manage SSO profile assignments

• PEIG group -> log in with organization SSO profile
• Everyone else -> log in with Google name and password

16. Finally prepare JSON configuration for your dedicated Peig Access server

• Your Peig Access Platform is integrated with your Google platform using the simple JSON configuration file, loaded into the Peig workspace server. Please prepare JSON file according previous configuration steps

{
   "peigUsernameType" : "EMAIL",
   "peigMigrationMode" : "GOOGLE",
   "data" : {
     "domain" : "",
     "entityID" : null,
     "acsURL" : null,
     "nameIDFormat" : null,
     "clientId" : "",
     "clientSecret" : "",
     "refreshToken" : null,
     "appURL" : "",
     "idpSSOURL" : "",
     "idpEntityID" : "",
     "idpCertificate" : "",
     "groupKey" : "peig@peig."
   }
}


This JSON configuration file is needed to upload into the [pap-hostname] directory:

# /opt/tomcat-aim/webapps/aducid-manage-resource/WEB-INF/classes/profile/<cfg-file.json>

That´s it. Now you can continue with Setup Peig Access Platform Workspace on [pap-hostname] server.