This page will guide you through the steps to configure your company's Google Workspace (formerly G Suite) as single sign-on (SSO) provider for Spencer, so your employees can use their Google account to login.
Create a Google project
#1 Navigate to https://console.developers.google.com.
#2 In the top-left corner, click "Select a project", then "New project".
#1 Choose a name (e.g. "Spencer") and click "Create".
Create a consent screen
The consent screen is the screen the end-users gets when logging in, to approve Spencer can use your data.
#1 browse to the credentials (section) of your project and click on create credentials
#2 click on create OAuth Client ID you'll be prompted with the screen (screenshot) that mention you'll need a consent screen. This consent screen is served to the user on login into consent on using his basic info
#3 click on configure consent screen, you'll be guided to a new screen
#4 Select internal (as this is only for internal purposes) and click on create
#5 Complete the application name with Spencer and complete support information (see screenshot) (best someone inside the organization). Keep in mind this is for internal use, so better upload an image of Spencer as app icon.
#6 Add spencer.co to authorized domains and click on save
You'll be guided to an overview page (see screenshot)
Enable APIs
Enable APIs if your Spencer is going to use meetings (enable Calendar) etc.
If not you can skip this step and go to Create OAuth client
#1 click on Enable APIS and SERVICES when you're in the Dashboard section.
You'll be guided to the overview see screenshot
#2 Type in calendar in the search bar
#3 Click on Google Calendar API, you'll be guided to a detailed screen (see screenshot). Click on ENABLE.
#4 You'll be guided back to a new overview. We have to update the consent screen to includes these scopes so the user can give consent to the Calendar permission. Browse back to API's & Services, by clicking on the menu icon and select APIS & services.
When back click on edit app (see below)
#5 When in the edit mode click on add scope
#6 Add the following scope items
calendar.events.readonly
calendar.events
calendar
calendar.readonly
calendar.settings.readonly
Click Save
Create an OAuth Client ID
#1 click on credentials in the menu. Click on create credentials and select OAuth client ID
#2 Select web application and complete Spencer in the name field. Add the redirect URL https://spencerlogin.b2clogin.com/spencerlogin.onmicrosoft.com/oauth2/authresp from Spencer into Authorized redirect URLs After completing all the above click on Create.
You'll get a confirmation screen with Client Id & Secret. You don't have to copy-paste these credentials. In the next step, you can download a JSON file. Click on OK.
#3 In the overview, click on the download icon and provide this JSON to Spencer
Create a Service Account for User Sync
The final and last step in the process with GSuite to make sure users are synced with Spencer.
#1 Click on the hamburger menu, click or hover over Services accounts
#2 You'll be guided to a service account overview screen. Click on Create Services Account
#3 Complete service account name with a useful name like Spencer Sync. Click on create
#4 click on Continue for the optional permission step
#5 Click on Create Key and select JSON. Click create.
#6 Download the file and send it over to customersuccess@spencer.co
#7 Go back to service accounts and click on your newly created Spencer sync. We'll need to enable domain-wide delegation. Click on the dropdown and check the box enable Gsuite wide Domain-wide Delegation. Copy-paste the unique ID, you'll need it later in Grant a generic user read rights to impersonate
#8 Enable the Admin SDK. browse back to the dashboard of your project and click on enable API's and services
#8 search for Admin SDK en click on enable
#9 After enabling the Admin SDK we do the same thing but for the People API. Search for People API and enable it.
Grant a generic user read rights to impersonate
Only users with access to the Admin APIs can access the Admin SDK Directory API, therefore your service account needs to impersonate one of those users to access the Admin SDK Directory API. Additionally, the user must have logged in at least once and accepted the G Suite Terms of Service.
#1 Browse to https://admin.google.com and click on security
#2 scroll down and search for Advanced Settings and click on it
#3 Click on manage API client access
#4 You'll be guided to a screen where you need to complete the client name and scopes. client name - the unique id from your service account scopes:
IF user sync only:
https://www.googleapis.com/auth/admin.directory.user.readonly
IF meetings included
https://www.googleapis.com/auth/admin.directory.user.readonly
https://www.googleapis.com/auth/admin.directory.resource.calendar.readonly
https://www.googleapis.com/auth/calendar.readonly
https://www.googleapis.com/auth/calendar.events
add them and click on authorize.
#5 We are going to create a specific role for Spencer with only read rights for reference. Complete the name field with Spencer. Complete the description field with some useful information for later reference "Special role for the Spencer application". Click on Continue.
#6 scroll down to the user under the Admin console privileges and tick the read box and click continue
#7 Google will present you an overview screen to review. Click create role
#8 As we enter our last steps we'll need to select a chosen one user to grant these privileges. Spencer advises that this user is a generic user like ops@spencer.co.
Important note from Google Only users with access to the Admin APIs can access the Admin SDK Directory API, therefore your service account needs to impersonate one of those users to access the Admin SDK Directory API. Additionally, the user must have logged in at least once and accepted the G Suite Terms of Service.
Search for that user click on assign roles
#9 Enable the special Spencer role and save it.
You are officially done! Make sure you provide all the information to Spencer.