Google Workspace (G Suite)
Pre-requisites
- Requires a Google Workplace subscription. Works with all pricing tiers.
- If you already have active users in ThoughtFarmer and you're looking to switch them over to Google Workspace, please open a support request on the ThoughtFarmer Helpdesk.
Setup Google Workspace User Sync
-
Go to these instructions for Creating access credentials for Google Workspace. Follow the steps under the headings Service account credentials, including Optional: Set up domain-wide delegation for a service account to create a service account and set up domain-wide delegation of authority.
- Service Account
- No roles need to be added to the service account, click Continue.
- No user access needs to be added to the service account, click Continue.
- Domain-wide Delegation
- The Unique ID shown under Advanced Settings > Domain-wide Delegation will be used for the Client ID in the domain-wide delegation
-
When configuring domain-wide delegation, enter the following API scopes where required:
-
- https://www.googleapis.com/auth/admin.directory.group
- https://www.googleapis.com/auth/admin.directory.user
- https://www.googleapis.com/auth/admin.directory.userschema
-
- Service Account
Google Workspace Marketplace OAuth Client
Click on the Service Account that was created, expand Advanced settings, and under the Google Workspace Marketplace-Compatible OAuth Client section, click on Configure.
Under the OAuth consent screen, select Internal in the User Type section. Click Create.
Under App Information, the following fields will be filled out:
- App Name : Example, ThoughtFarmer Google Workspace
- User support email : Select the email provided on the dropdown
- Developer contact information > Email address: Administrator's email address
- Click Save and Continue
- No scopes will be added. Click Save and Continue.
ThoughtFarmer sync configuration
- Go to the Google API Library. At the top, make sure your ThoughtFarmer project is selected.
- In the search bar, search for and select Admin SDK API.
- Click the Enable button.
- In ThoughtFarmer, go to the Admin panel: Users & security section > Employee Directory Connector page.
- Click +Add new external user store.
- On the New external user store page, give the user store a name and select Google from the Type dropdown menu.
- Click Save.
- Navigate to the Configuration tab. Copy the code below and paste it into the Configuration tab. Ensure that you replace the placeholder values, preserving the double quotes.
{
"domain": "yourDomain",
"privateKey": "-----BEGIN PRIVATE KEY-----yourKeyHere-----END PRIVATE KEY-----\n",
"clientEmail": "email@yourOrganization.iam.gserviceaccount.com",
"customer": "yourCustomerValue",
"adminUser": "adminUserEmail@domain.com", "group": "yourGroupName"
}- Domain: Your organization's domain that is managed through Google Workspace.
-
PrivateKey:
- Go to Google's Service Accounts page.
- Select your ThoughtFarmer project.
- If you haven't generated a private key, access the ellipsis menu next to the service account name and choose Manage keys.
- On the Keys page, select Add Key, then create a new key in JSON format. The file will be saved to your local Downloads folder automatically.
- Open the file and note the private_key value. For best viewing, use an editor like NotePad++.
- ClientEmail: The email of the service account you created.
- Customer: Navigate to https://play.google.com/work/adminsettings?pli=1, and copy the Organization ID.
- AdminUser: The username of an active admin user. The sync will impersonate this user.
- Group: The name of the group containing users to whom you want to give ThoughtFarmer access. It is recommended to create this group in advance.
-
Click the Field Mappings tab to add additional fields.
- To create a field mapping:
- Click +Add.
- Select the relevant ThoughtFarmer field from the dropdown menu.
- Input the corresponding Google field mapping into the External store field box.
- Select Google as the Data owner.
- Click the Save icon.
- Repeat as necessary to add additional field mappings.
-
The following table lists the accepted field mappings from Google:
givenName familyName primaryEmail manager thumbnailPhotoUrl EmailHome EmailWork EmailCustom EmailOther PhoneHome PhoneWork PhoneMobile AddressHome AddressWork AddressOther EmailAlias EmployeeID JobTitle Department CostCenter BuildingID FloorName FloorSection
- Click the Synchronization Settings tab.
- Select Validate credentials. If your configuration settings are accurate, the credential validation should be successful. You might need to refresh the page to view the status of the credential validation.
- In the Daily synchronization section, you have the option to establish a schedule for executing your chosen synchronization tasks at specific times and frequencies. If you need to run a synchronization immediately, just select the checkboxes for the tasks you wish to sync and click Synchronize now.
- In case it fails:
- You can find out more about the reason for the failure under the ThoughtFarmer Admin panel: Logs & statistics section > System Logs page.
- If it is unclear, please open a support request on the Helpdesk.
- If a user doesn't have a ThoughtFarmer account, but they are a member of the Google Workspace group that ThoughtFarmer is syncing with, you can have their account automatically created after they log in without having to run a sync first. If you want this enabled, click the Basic Information tab. Select the User auto-creation checkbox. Click Save.
Limitations
There is a current limitation from Google in regard to profile images.
Regardless of the size of the photo being uploaded, the API automatically downsizes it to 96x96 pixels.
Custom Attributes
If you wish to use custom field mappings from Google, under the ThoughtFarmer External Store Field column, the customs attribute has to be in the following format:[CustomSchemaName].[CustomAttribute]
To enable the use of custom attributes, append "hasCustomSchema": "true" to your configuration settings.
Example:
{
"domain": "yourDomain",
"privateKey": "-----BEGIN PRIVATE KEY-----yourKeyHere-----END PRIVATE KEY-----\n",
"clientEmail": "email@yourOrganization.iam.gserviceaccount.com",
"customer": "yourCustomerValue",
"adminUser": "adminUserEmail@domain.com", "group": "yourGroupName",
"hasCustomSchema": "true"
}
Setup Google Workspace as an External SAML login provider
There are two parts to setting up the Google Workspace login:- Set up a custom SAML application in Google Workspace
- Add an external SAML login provider on the ThoughtFarmer site
Set up a custom SAML Application in Google Workplace
For cloud clients, ensure you use your custom site URL on your domain (e.g., https://intranet.yourCompany.com) instead of the default URL provided by ThoughtFarmer (e.g., https://intranet.thoughtfarmer.com). If you do not have a custom URL yet, please wait until it has been set up before proceeding.
- Follow the instructions for Setting up your own custom SAML application in Google Workspace.
- Make a note of the SSO URL, and Entity ID and the Certificate indicated in the steps. These values will be required for the ThoughtFarmer configuration.
- In the Service Provider Details window add the information below:
- In the Attribute Mapping step, map the Primary email attribute in the application to the Username.
-
Turn on SSO for the users to whom you want to provide ThoughtFarmer access.
-
After the SAML app is created, go to the Web and mobile apps page, and in the User Access section, click the down arrow.
- Select "ON for everyone". Click Save
-
Add an external SAML login provider on the ThoughtFarmer site
Follow these steps to add Google Workspace as an external SAML login provider in ThoughtFarmer:
-
Navigate to the Login Provider Page
In ThoughtFarmer, go to Admin Panel > Users & Security section > Login Provider page. -
Add a New Login Provider
Under External Providers, click + Add new login provider and select Custom SAML. -
Fill in the Required Fields
- Hostname: Please input your site URL, but there's no need to include 'https://' since it's already specified in the dropdown menu next to it.
- Login Provider complete hostname: Enter the SingleSignOnService value from Google Workspace, you can omit 'https://' as it's already provided in the dropdown menu next to it.
- External User Store Configuration: Select the Google Workspace external user store that you created earlier.
- Certificate: Click Advanced SAML Options to expand it. Open the downloaded certificate in Notepad and copy the certificate value into the Certificate field.
- Configuration Options: Check the box for Want Assertion Signed.
-
Issuer URL / Name: Enter the Google Workspace Entity ID.
*Certificate Expiry: In Google Workspace, go to your ThoughtFarmer SAML app > Service Provider Details. Note the certificate expiry date and ensure you renew it before expiration. Update the Certificate field in ThoughtFarmer if the certificate changes in Google Workspace.
-
Backup Admin User Setup (Optional)
Before converting your primary ThoughtFarmer admin account to a Google user, create a temporary regular user with admin privileges. This user will serve as a backup method of access in case of issues with the SAML authentication. Once no longer needed, this temporary account can be deleted. -
Convert Existing Users to Google Workspace Authentication
If you wish to convert the ThoughtFarmer user account you are logged in with to a Google user, follow these steps:- Go to Admin Panel > Users & Security > User Management.
- Search for the user in the User Management page.
- Click the gear icon next to the user’s name and select Edit Account.
- Change the Account Type to External.
- Select Google Workspace from the Employee Directory Connector Configuration dropdown.
- Enter the user’s Google Workspace username.
- Click Save.
Repeat this process for any other ThoughtFarmer users that will authenticate via Google Workspace. If the user does not yet have a ThoughtFarmer account, you can let the sync process create one. For bulk user updates, open a request with our Helpdesk.
-
Testing Login
Log out of ThoughtFarmer and attempt to log in using a user from the Google Workspace group that is synced with ThoughtFarmer. A successful login will return you to ThoughtFarmer. If the login fails, check the Admin Panel > Logs & Statistics > System Logs for errors and cross-reference the logs in Google Workspace to diagnose the issue.
Comments
0 comments
Please sign in to leave a comment.