Google for Kora SSO
For Enterprise admins of Kora in the G-suite domain, access to emails, drive and Distribution Lists in their domain is restricted by Google. In order to provide access, a service account needs to be created on behalf of the G-Suite System administrator in the Google cloud platform and required scopes need to be added for domain-wide delegation of authority.
If you choose to ‘Access DLs’ from Kora, the below steps need to be completed and configurations in the Kora Enterprise admin console.
Refer to the following links for further details:
Create the service account and credentials
The following are the steps to create a service account and its credentials, which are required for G Suite domain-wide delegation of authority. Your code uses the credentials created here to authorize the actions the service account takes.
- Open the Service accounts page. If prompted, select a project, if no project available create one by clicking CREATE PROJECT and then continue to select a project.
- Click + Create Service Account, enter a name and description for the service account. You can use the default service account ID, or choose a different, unique one. When done click Create.
- Skip the optional Service account permissions (optional) section and click Continue.
- On the Grant users access to this service account screen, scroll down to the Create key section. Click + Create key.
- From the side panel, select the format for your key: JSON is recommended.
- Click Create. Your new public/private key pair is generated and downloaded to your machine; it serves as the only copy of this key. For information on how to store it securely, see Managing service account keys.
- Click Close on the Private key saved to your computer dialog, then click Done to return to the table of your service accounts.
To enable G Suite domain-wide delegation, follow these steps:
- Locate the newly-created service account in the table. Under Actions, click on 3 dots then Edit.
- In the service account details, click Show domain-wide delegation, then ensure the Enable G Suite Domain-wide Delegation checkbox is checked.
- If you haven’t yet configured your app’s OAuth consent screen, you must do so before you can enable domain-wide delegation. Follow the on-screen instructions to configure the OAuth consent screen, then repeat the above steps and re-check the checkbox.
- Click Save to update the service account, and return to the table of service accounts. A new column, Domain-wide delegation, can be seen. Click View Client ID, to obtain and make a note of the client ID.
Ensure that “Admin SDK”, “Gmail APi” and/or “Drive API” is enabled for the already selected project, by following the below steps
- Tap on Navigation Menu on Top Left
- Click on APIs & Services
- Click on Library
- Search for ‘Admin SDK’ in search box
- Click on and open ‘Admin SDK’
- Make sure it is Enabled
- Follow the steps 4-6 for “Gmail APi” and “Drive API”, if needed.
Delegate domain-wide authority to your service account
The service account that you created needs to be granted access to the G Suite domain’s user data that you want to access. The following tasks have to be performed by an administrator of the G Suite domain:
- Go to your G Suite domain’s Admin console.
- Select Security from the list of controls. If you don’t see Security listed, select More controls from the gray bar at the bottom of the page, then select Security from the list of controls.
- Select Advanced settings from the list of options.
- Select Manage API client access in the Authentication section.
- In the Client name field, enter the client ID obtained from the service account creation steps above.
- In the One or More API Scopes field enter the scopes required for your application (for a list of possible scopes, see Authorize requests).
- For example, if you require domain-wide access to Users, Groups and Reports enter: https://www.googleapis.com/auth/admin.directory.group.readonly, https://www.googleapis.com/auth/admin.directory.user.readonly, https://www.googleapis.com/auth/admin.reports.audit.readonly, https://www.googleapis.com/auth/admin.directory.group.member.readonly
- For Email Search access: https://www.googleapis.com/auth/gmail.readonly
- For Drive Search https://www.googleapis.com/auth/drive
- Click the Authorize button.
Your service account now has domain-wide access to the Google Admin SDK Directory API, Gmail API and/or Drive API for all the users of your domain. You are ready to instantiate an authorized Admin SDK Directory, Gmail and Drive service object son behalf of your G Suite domain’s users.
Note: Only users with access to the Admin APIs can access the Admin SDK Directory API, Gmail API and Drive API, therefore your service account needs to impersonate one of those users to access the Admin SDK Directory API, Gmail API and Drive API. Additionally, the user must have logged in at least once and accepted the G Suite Terms of Service
Once the above steps are completed, the following details need to be entered into the Kora Enterprise Admin console:
- Client Email,
- Private Key and
- Admin Email.
The fields Client Email and Private Key can be retrieved from the downloaded JSON key file, they are client_email and private_key.
Admin Email is the admin email id of the Gsuite domain.