Configure Authentication (with a service account)

This section describes how to create a new service account and configure OAuth authentication with the Google Directory.

NOTE:

This procedure is subject to change. HPE recommends that you refer to the documentation for Google Directory.

To configure authentication (with a service account)

  1. Go to https://console.developers.google.com/ and login.
  2. Create a new project, and make sure the project is selected.
  3. If not already selected, go to APIs & Services > Library.
  4. Select Admin SDK and click Enable.
  5. Select APIs & Services > Credentials.
  6. Select Create Credentials > Service Account Key.
  7. Select New Service Account.
  8. Give the new account a name, and select Role: Project > Viewer.
  9. Select Key type JSON, and then Create.

    A JSON file is saved to your machine. Store the JSON file to be used later.

  10. Find the service account you created: Menu button > IAM & Admin > Service accounts.
  11. In the table, select Edit for the new account.
  12. Select the Enable G Suite Domain-wide Delegation check box, and click Save. (This requires the Product name to be set in the OAuth consent screen, if you haven't set it previously).
  13. Click View Client ID, and copy the Client ID to be used later (this is also shown in APIs & Services > Credentials).
  14. Go to https://admin.google.com/ and login using an administrator account.
  15. On the Admin Console menu, select Security.
  16. Select Show more > Advanced settings > Manage API Client Access.
  17. Ensure that an entry is present for the Client ID (from step 13, above), and that the following scopes are included:

    When adding scopes, copy any existing scopes, then add the new scopes (comma separated, unquoted), and click Authorize.

 

To obtain OAuth tokens

  1. In the OmniGroupServer installation directory, open oauth_tool.cfg.
  2. Configure the following section, by replacing <client_email> with the e-mail address of the service account and <private_key> with the private key. The private key is available from the JSON file that was saved to your machine in the previous procedure.

    [GoogleDirectory]
    OAuthVersion=2.0
    SiteName=GoogleDirectory
    AuthorizationType=GoogleServiceAccountAuthorization
    CustomJson={"GoogleServiceAccount":"<client_email>","GoogleServiceAccountPrivateKey":"<private_key>"}
  3. From the command line, run the following command:

    oauth_tool oauth_tool.cfg GoogleDirectory

    The OAuth configuration tool generates the files oauth2_sites.bin and oauth.cfg. The file oauth.cfg contains the configuration parameters that are required by OmniGroupServer to authenticate with the directory. For information about how to configure OmniGroupServer, see Configure the OmniGroupServer Repository.


_HP_HTML5_bannerTitle.htm