FileMage Gateway - Documentation Reference

# Google Identity Services

Administrator logins can be tied to Google Workspaces accounts using Google Identity Services. This allows customers to use Google Workspaces as source of single sign-on logins. When a user logs in through Google Identity Services, an administrator account is automatically created if one did not exist.

Note

This feature is only available for web portal administrator logins.

# Create an OAuth Web Application

To create the necessary credentials for your deployment to authenticate using Google Identity Services follow the steps below:

  • Follow the instructions to configure your OAuth consent screen.
  • Open the Credentials page of the Google APIs console.
  • Click Create credentials > OAuth client ID.
  • For application type, select Web Application.
  • For Authorized JavaScript origins, enter a URL in the following format: https://<DEPLOYMENT_HOSTNAME>/.
  • Click Save.
  • Copy the Client ID of the newly created web application credentials.

To enable Google Identity Services in the application, open the configuration file and add the following settings:

google_identity_service:
  client_id: <YOUR_CLIENT_ID>.apps.googleusercontent.com

Note

You must have a HTTPS enabled with a public top-level domain to use Google Identity Services.

# Restrict Access to Specific Groups

By default, all users in your Google Workspace account will be granted access. To restrict access to certain groups, you must configure the application to retrieve group information using the Google Workspace Admin SDK API.

  • Follow the instructions to set up a service account with Domain-Wide Delegation.
  • When delegating the API scopes to the service account, delegate the https://www.googleapis.com/auth/admin.directory.group.readonly scope only.
  • Upload the service account JSON key to your application VM.
  • Enable the Admin SDK API.

In order for the application to make API calls to the Admin SDK API, you must specify a Google Workspace user with admin credentials which it will impersonate using the gsuite_admin_email setting.

To enable group restrictions, open the configuration file and add the following settings:

google_identity_service:
  client_id: <YOUR_CLIENT_ID>.apps.googleusercontent.com
  service_account_key: <PATH_TO_SERVICE_ACCOUNT_KEY>.json
  allowed_groups:
    - <ALLOWED_GROUP_1>
    - <ALLOWED_GROUP_2>
  gsuite_admin_email: <ADMIN_USER@YOUR_DOMAIN>