How to configure Google Workspace for SMA Authentication with Google API (4369664)

How to configure Google Workspace for SMA Authentication with Google API

The SMA components to authenticate with API provided by Google are the following:

• Google Workspace Device Discovery and Inventory - This includes both Chromebooks and Mobile Devices that are managed by a Google Workspace Domain (formerly G Suite)
• Service Desk Queue Inbound Emails - This includes email inboxes that are part of a Google Workspace or a public Gmail inbox (OAuth only)

The SMA provides two methods for authenticating to a Google API. The method used depends on the components being used and the preference or role of the SMA administrator. Service Account Authentication is the method which requires a Service Account Key and a unique Client ID; OAuth Client Authentication — this method consist of an OAuth Client ID and a Client Secret.

Please visit the SMA Admin Guide for more details on selecting an authentication method and obtaining credentials for Google APIs.

Create and Configure a Google Cloud Platform project

The SMA is enabled to a Google API when granted access to that API for a given account. Part of the credentialing process requires setting up a Google Cloud Platform project, enabling the desired API from within it, and creating the credentials.
Please use the numbers to follow through the screenshot instructions.

1. Sign in to your developer account at Google Cloud Console  https://console.cloud.google.com )
2. Create a project.
   1. Click Projects in the left navigation bar.
   2. Click Create Project to display the New Project dialog.
   3. Type a project name.
   4. Use the auto-generated Project ID or type a unique ID of your choice.
   5. Click Create - The Project Dashboard for the new project appears.
3. Enable the Desired Google API.
   1. Perform the following for Admin SDK API and/or Gmail API
   2. Click APIs & Services in the left navigation bar to expand the section, and click Enabled APIs &Services.
   3. Click +Enable APIs and Service.
   4. Search for the API.
   5. Read and agree to the terms of service and click Enable.
4. Proceed to Create a Service Account or Create an OAuth Client Credential steps depending on the desired authentication type.

Screenshots to follow through
Steps 2 
 

Click To See Full Image.

Steps 3 

Click To See Full Image.

Step 3.4 through 

Click To See Full Image.

Click To See Full Image.

Create a Service Account

While still being logged into Google Cloud Console using the left navigation bar to create a service account.

1. Select IAM & Admin from the left navigation bar
2. Click on Service Accounts
3. Click "+" Creative Service Account  
   1. Type a Service Account name
   2. Type an Optional Description
   3. Click Create and Continue
   4. Click Done
4. Add a Service Account Key
   1. Click on the newly created Service Account
   2. Select the Keys tab then click on "ADD KEY"
   3. Select the JSON radio button and then click Create
   4. Save the JSON key file which is automatically downloaded to use later
   5. Make a note of the OAuth 2 Client ID for the Service Account

Screenshots to follow through
Step 3

Click To See Full Image.

Step 3.1 through 3.4

Click To See Full Image.

Step 4.1

Click To See Full Image.

Step 4.2

Click To See Full Image.

Step 4.5

Click To See Full Image.

Create an OAuth Client Credential

This method requires SSL access to the SMA and a public hostname to access the SMA administration console
While logged into the Google Cloud console, go to the APIs & Services section from the left navigation bar.

1. Click the OAuth consent screen in the left navigation bar
   1. Select Internal if the developer account is part of the same Google Workspace domain as the resources being accessed (organization) otherwise, choose External (any test user listed) and then click on Create
   2. Enter an App Name ( name displayed when granting access in the SMA Administration Console)
   3. Enter a Support email
   4. Enter a Developer's contact email
   5. Click Save and Continue
   6. On the Scopes page, click Add or Remove Scopes
   7. Add the following scopes by entering each one manually. Go to add scopes fields and click on Add to Table
   8. For Device Discovery and Inventory, add the following Scopes
      • https://www.googleapis.com/auth/admin.directory.device.chromeos
      • https://www.googleapis.com/auth/admin.directory.device.mobile
      • https://www.googleapis.com/auth/admin.directory.user
   9. For Service Desk Queue email, add the following Scope
      • https://www.googleapis.com/auth/gmail.modify
   10. Click on Update
   11. Click Save and Continue
2. Click on Credentials in the left navigation bar
3. Click on "+ Create Credential"
4. Select OAuth client ID
   1. Choose Web Application on Application type
   2. Give the client a name
   3. Under "Authorized redirect URIs", click "+ Add URI"
   4. Enter https://appliance_hostname/common/authorize.php for appliance_hostname. This is the hostname used to connect to the SMA Administration console
   5. Click Create
   6. Copy and Save the Client ID and Client Secret displayed to use later
   7. Click on OK

Screenshots to follow through OAuth Consent 
Step 1.1

Click To See Full Image.

Step 1.2

Click To See Full Image.

Step 1.4

Click To See Full Image.

Step 1.6

Click To See Full Image.

Step 1.9

Click To See Full Image.

Step 2 through 4

Click To See Full Image.

Step 4.1 through 4.5

Click To See Full Image.

Step 4.6

Click To See Full Image.

 

Delegate Domain Wide authority to a Service Account

This feature only applies when using a Service Account to authenticate to a Google API. It requires super admin access to the Google Workspace Admin console and it is highly recommended to secure credentials. 
Warning: when authorizing Gmail to modify the scope to a service account; access is granted to that service account for all inboxes on the domain. Service Account Key credentials should be protected accordingly.

1. Sign in to the Google Admin console at https://admin.google.com/
2. Go to Security > Access and data control > API Controls in the left navigation bar
3. Click Manage Domain Wide Delegation
4. Click Add new
5. Enter the Client ID of the Service Account created in the Service Account Creation Step
6. Add the Desired OAuth Scopes one by one to the OAuth Scopes Field
7. For Device Discovery and Inventory, add the following scopes
   1. https://www.googleapis.com/auth/admin.directory.device.chromeos
   2. https://www.googleapis.com/auth/admin.directory.device.mobile
   3. https://www.googleapis.com/auth/admin.directory.user
8. For the Service Desk Queue email, add the following scope
   1. https://www.googleapis.com/auth/gmail.modify
9. Click Authorize

Screenshots to follow through
Step 2 through 3

Click To See Full Image.

Step 4 through 5

Click To See Full Image.

Step 6 through 9

Click To See Full Image.

 

Configuring Credentials in the SMA Administration Console

1. On the Discovery Schedule or Service Desk Queue, an Email Settings screen, click the credential dropdown and click Add Credential
2. Select the Service Account or OAuth radio depending on the authentication type
3. To configure Service Account Credentials
   1. Enter an Impersonation Account email
      1. For Device Discovery - The email address of an admin with access to the devices in the Google Admin console.
      2. For Service Desk Queue - The email address to receive inbound emails from.
   2. Click Choose File under Service Account Key and browse to the JSON file saved in the Service Account Creation step.
   3. Enter a note about the credential if desired.
   4. Click Save
4. To configure OAuth Credentials
   1. Enter the Client ID from the OAuth Client Creation step
   2. Enter the Client Secret from the OAuth Client Creation step
   3. Click Generate New Code link
   4. In the new window, log into the desired Google account
      1. For Device Discovery - The account of an admin that has access to the devices in the Google Admin console.
      2. For Service Desk Queue - The email account to receive inbound emails.
   5. Click Allow on the account access screen.
   6. The Google Window will close, and the Access Code field of the Add credential page will be filled.
   7. Click Save.