Google Services
Before opting for Google Services instead of the Google SAML application to log in with your Google Workspace account, evaluate the potential cost implications for using Google Services.
Prerequisites
-
Administrator access to the Harmony SASE Administrator Portal.
-
Administrator account with the Identity Provider Management Portal.
High-Level Procedure
Step 1 - Generate the Google Client ID and Client Secret
-
Log in to the Google Admin Console.
-
Open the console left side menu and select APIs & services, and then select Credentials.
-
Select a project.
-
If you do not have a project defined on Google Cloud Platform:
-
Go to OAuth consent screen, select User Type as External and then click Create.
The Edit app registration page appears. The information entered here will be used by the users to know who you are and contact you.
-
In the OAuth consent screen section, enter these values:
-
Select the Application Type as Public.
-
In the Application Name field, enter a name for the application.
-
In the User support email field, enter an email address. The users use this email address to contact for questions about the consent.
-
(Optional) To add a logo, in the Add logo field, click Browse and select the logo.
-
In the Application Homepage link field, enter your Harmony SASE workspace URL.
-
In the Authorized domains section, enter your domain name and click Add Domain.
-
In the Developer contact information field, enter your support email address.
-
Click Save and Continue.
-
-
In the Scopes section, select these options:
-
Click Add or Remove Scopes.
-
Select these scopes:
-
userinfo.email
-
userinfo.profile
-
openid
-
-
Click Update and then click Save and Continue.
-
-
(Optional) To test the users if they are able to access the application:
-
To skip testing the users and continue, click Save and Continue.
Google creates your project and when the process completes, it prompts you to create credentials.
-
Click Create credentials and then select OAuth client ID.
Google shows a To create an OAuth client ID, you must first set a product name on the consent screen warning.
-
Click Configure consent and enter a product name to appear for the users when they log in through Google.
-
Google prompts you to provide additional information about the newly-created app. Enter these details:
-
In the Application type, select Web application.
-
In the Name field, enter a name for the application.
-
In the Restrictions section, enter these details:
-
Authorized JavaScript origins: https://auth.perimeter81.com
-
Authorized redirect URI: https://auth.perimeter81.com/login/callback
-
-
Click Create.
-
-
If Google shows "unverified app" screen before showing the consent for your app, complete the OAuth Developer Verification.
-
Copy the Client ID and Client Secret.
Step 2 - Enable the Admin SDK Service
To connect to Google Suite enterprise domains, you need to enable the Admin SDK service. To do that:
-
Log in to the Google Admin Console with a administrator account.
-
From the console left side menu, select APIs & services, and then select Library.
-
Select Admin SDK.
-
On the Admin SDK page, select Enable.
Step 3 - Configure the Harmony SASE Administrator Portal
-
Log in to the Harmony SASE Administrator Portal with a administrator account.
-
Go to Settings > Identity Providers.
-
Click Add Provider.
The Add identity provider pop-up appears.
-
Select Google Workspace and click Continue.
-
In the Google Apps Domain field, enter your corporate domain name.
-
In the Domain Aliases field, enter the business domain names separated by commas or space.
-
In the Client ID field, enter the client ID.
-
In the Client Secret field, enter the client secret.
-
Click Done.
The Edit Google Apps connection pop-up appears.
You must configure the application to use Google's Admin APIs. To do that, you must authenticate the application.
-
If you are an administrator in Google Workspace or you have the credentials of such a user, click Continue and authenticate the application.
Best Practice - To authenticate, use a service user account with the sufficient permissions. If you authenticate with an administrator account and if that administrator leaves the organization, you must create a new Client ID and Client Secret and then re-authenticate with the new user.
|
Note - After the first successful authentication of a member with SAML, Harmony SASE does this:
|