Google Single Sign On Setup
What is Google single sign-on (Google SSO)?
Google SSO allows organizations that use Google Apps, Google Apps for Education, or GSuite for their email to log into the Edlio CMS using those same accounts.
Why use Google SSO?
Simplicity and Security. Reducing the number of passwords a user has and the number of locations a user is managed simplifies the entire administration. Google's account security is quite good. Their two-factor authentication, password reset flows, and intrusion detection systems are impressive.
How can I set up Google SSO?
Google SSO uses OAuth 2.0. You'll need to go to the Google API Console to set up a project with the appropriate APIs enabled and create credentials to send to us.
Before you begin, Contact Edlio Support to request the JavaScript origins and redirect URIs you will need to enter in Step 4.B.
Detailed instructions are below:
- Access the Google API Console (Google Developers Console)
- Create a new project
- Enable the APIs
- Add credentials
- Send us the Credentials.
Google updates its interfaces frequently and we do our best to keep the screenshots here up-to-date. Google also personalizes your experience based on your account access and settings. Please understand that the screens here may not perfectly match what you see in Google.
1. Access the Google API Console (Google Developers Console)
- Log into your Google account.
- Go to the Google API Console
- Select your organization from the menu in the top-left corner
- In the popup window choose "New Project"
2. Create a new project
- In the dialog box that appears enter a name for the project.
- Google will suggest a project ID based on the project name, but you may edit it if you wish.
- Click the "Create" button.
- You'll see an activity start. When the activity has completed proceed to Step 3.
3. Enable the APIs
A. Enable Google+ API
The Google+ API is required as it provides the user profile information we use for the user's profile. The API is somewhat misnamed as the Google+ API is not specifically for the now-defunct Google+ the social network, but provides basic data about all Google users.
The Google+ API can be activated even if your organization does not use Google+. Enabling the Google+ API will not turn on the Google+ social network.
- Click "Enable APIs and Services" on the Dashboard (or use the left menu to go to "Library").
- Search for Google+ API
- Then choose "Google+ API" from the search results.
- Now click the "Enable" button.
B. Enable API for Admin SDK
The Admin SDK provides access to the DirectoryAPI. The DirectoryAPI provides the access to the Organizational Unit and Groups information.
In the same way that was done for the Google+ API, search for the Admin SDK in the Library and then enable it.
4. Create credentials
A. Create a Client ID
- From the dashboard, click the "Create credentials" button.
- On the "Add credentials to your project" Screen, you will see the sentence "If you wish you can skip this step and create an API key, client ID or service account". Click the "client ID" option.
B. Set up the consent screen
Before you can create your credentials, you will be required to configure a consent screen. Users will see the consent screen the first time they log into your website's admin area using their Google account. It's how Google gains their permission to share their account information with you for the purposes of logging them into your website.
The configuration of the consent screen will look similar to this:
- Select "Internal" for the application type.
- In the "Authorized Domains" box, add "edlioadmin.com".
- Select your support email.
This email address will be shown to users on the consent screen. You can use your email address or a Google Group email address that you manage.
- On the next page, you will add the scopes for your application. You will want to include the following scopes:
/auth/userinfo.email
/auth/userinfo.profile
openid
Admin SDK API: /auth/admin.directory.user.readonly
- Click "Save and Continue"
C. Create an OAuth 2.0 client ID
- Click "Create Credentials"
- Select "OAuth client ID"
- For application type, select "Web Application"
- Give your application a name. This is for your internal use, but we recommend naming it something like "Edlio SSO" so you know what the application is.
- Enter the JavaScript origins provided by Edlio Technical Support. There will be one URI and one redirect URI, per site.
- Click "Create".
D. Download credentials
- From the dashboard, click the download icon to save a copy of the credentials to your computer.
This is the file Edlio needs in order to set up Google single sign-on for your website.
5. Send us the Credentials.
- Contact Edlio Technical Support. (If you requested the JavaScript origins and redirect URLs through a support case, you may reopen the case.)
- Attach the credentials file you downloaded into the support case and request we enable Google SSO for your website.
Additional Resources
G Suite / Google Apps Administrator Help: Enable API access in the Admin console
Google Identity Platform Help: Using OAuth 2.0 to Access Google APIs