IdP Setup: Google

To complete the steps below, one has to be logged in to a Google account and be a a super administrator of the Google Workspace domain (more info)

NOTE: CANNOT be IP Address or self-signed cert. Must be FQDN -  Instructions Linked Here

Step

Example screenshot

(Step 1) - Navigate to to https://console.cloud.google.com/apis/credentials

/

(Step 2) - Click on "Create credentials"

(Step 3) - Choose "OAuth client ID"

(Step 4) - In the next screen, choose "Web application"

(Step 5) - In the configuration screen we need to name our OAuth client name and input correct  Authorized redirect URIs.

NOTE

Please replace "filewave.server.com"  with the correct URL of your server instance.

https://filewave.server.com/api/auth/login_via_idp_redirect

https://filewave.server.com/api/auth/login_via_idp_redirect_for_native

https://filewave.server.com/api/auth/login_via_idp_redirect_for_device

(Step 6) - Click CREATE, and your Client ID and Client secret will be generated. Please save them for later, as they are needed when configuring the FileWave server later on.

Please note the message in grey about the OAuth access being restricted. You may also see a different message indicating that the consent screen needs to be verified. Click on the link in that grey text and ensure that the publishing status is is In Production and that the User Type is is External.

Step

Example screenshot

(Step 7) - Navigate to to https://console.cloud.google.com/apis/credentials

/

(Step 8) - Click on "Create credentials"

(Step 9) - Choose "Service account"

(Step 10) - Input required details and click "DONE".  

NOTE

Skip optional steps 2 and 3, we will take care of it later.

(Step 11) - Newly created service account should now be visible in the list of service accounts. (it might take few minutes)

(Step 12) - To create a service key key under a newly created service account, click on the service account name (step above), select the 'KEYS' tab, and click on "Add key".

(Step 13) - Click on "Create new key", select JSON type and click "Create".

(Step 14) - Service key is now downloading to your computer. Save it, as it's needed in further configuration.

Step

Screenshot

(Step 15) - Navigate to to https://console.cloud.google.com/apis/credentials

(Step 16) - Open newly created service account details, by clicking on the service account name. Click SHOW ADVANCED SETTINGS.  

Save Client ID as it will be used later on..

(Step 17) - Navigate to to https://admin.google.com/ac/owl/domainwidedelegation

(Step 18) - Click on "Add New" to create a new domain delegation.

NOTE

You will need super administrator permissions for this step.

(Step 19) - In the Client ID, put in the Client ID from step 16. In the OAuth scopes, put in the following.

https://www.googleapis.com/auth/admin.directory.user.readonly,
https://www.googleapis.com/auth/admin.directory.group.readonly
Click "Authorize".

Step

Screenshot

(Step 20) -  The next to last piece is setting up a service account. A service account is a user, that is going to be used in order to access resources.

In order to add a user to a service account, navigate to to https://console.cloud.google.com/apis/credentials  and then click the service account you created, click on the the Permissions  tab, and add a user you'd like to use for accessing Google Workspace resources.

NOTE

Make sure the user has at least read access to the the User and Group resource.

The selected user's email becomes your service account account token.

Example "josh.levitsky@fwx.io"

Step

Screenshot

(Step 21) -  The last piece of the puzzle is setting up Filewave to talk to Google. Navigate to to https://filewave.server.com  replacing the address with your FileWave server. Login as fwadmin to be sure you will have proper permissions to make the next changes.

Click on the Settings gear icon at the top of the page.

(Step 22) - Edit the Terms & Conditions to have appropriate text for your organization. This text is displayed when using an IdP to enroll devices.  

(Step 23) - Click Click Setup Google Google or if you already have another IdP setup then click click New Identity Provider on the top right because this screen will look different.

(Step 24) - This is where everything comes together.  

The Name is whatever you want to call this connection.

Select if you want to use this for enrollment or for adding administrators or both.

Insert the Client ID and Secret that you saved from step 6. (Not the Client ID from later on)

The Domain is your domain.

The Service Account was the user you granted access to the project in step 20.

The Service Key is the contents of the JSON file you downloaded in in step 14.

Click Click Create once you have entered all of this information.

Step

Screenshot

(Step 25) - Now we need to enable the Admin SDK API for your project.  

Navigate to to https://console.developers.google.com/apis/api/admin.googleapis.com/overview?project=<project-number>

Fill in <project-number> is from Firebase/Project settings/General/Project number

If you are unsure what this is you can find it via logging into into http://console.firebase.google.com/  > click your Firebase Project > Click the gear icon at the top left to the right of "Project Overview" > Project Settings Settings 

(Step 26) Copy the Project number and add that to the link.

E.G G https://console.developers.google.com/apis/api/admin.googleapis.com/overview?project=600195963358

(Step 27) Click the Enable button

Step

Screenshot

(Step 28) - Now that you have configured FileWave to talk to Google for Admin you need to go into the Native Admin to enable admins to actually log in and set their permissions.

Launch the Native Admin and go to Assistants →  Manage Administrators.

(Step 29) - Click the the + on the lower-left corner and pick IdP Group Account.

On this screen, it is important to clarify that you are not defining a user here but a group of users. The The Login Name is misleading here, and should be thought of as the name of the group of users so you might put something like like Google - Desktop Techs and then for for Identity Provider Provider make sure your Google connection is selected that you set up in the prior steps. For For Group click the the Browse button and select the group that includes all of the users who will have access. If you will give all of your users the same level of permissions then you can use one group for all of your FileWave admins, but if you will use different levels of access then make an IdP Group Account on this window to define each of your groups of FileWave admins. In the image, you see a single entry for for Google which might be appropriate if all of the FileWave admins are in a single group on the Google side.  

If everything was done correctly then your Web Admin login should look like the image shown. Click to Login with Google and try to log in. If you can not log in then the user may not be in a group that was given access in in step 20  so go and check on the Google side to be sure. If the user can log in but can not perform tasks then ensure they are in the right group, and that you have configured the the Permissions tab seen on on step 20  to be sure they have the right permissions granted.