There are two sets of configuration steps needed for implementing Google Apps SSO:
- Configure Google SSO as the identity provider
- Set up School to integrate with Google Apps
In order to use the Google Apps SSO from Blackbaud K12 Core, the school must provide a Google Project to manage the process and provide secure access. The following steps must be completed in order to create the Google Project and prepare for Google Apps SSO activation.
Enable Google Developers Console
The Administrator for your school's Google Account needs to make sure the Google Developers Console has been turned on.
NOTE: Recommend creating a separate "Super Admin" user with an identifiable name, i.e., googlesso, to use for this integration. This is the user that will be used to authenticate the integration.
- Click the menu icon in the upper left
- Select Security
- Click API reference
- Mark the Enable API access checkbox
- Click Save
- Click the menu icon
- Select Apps
- Click Additional Google Services
- Locate Google Developers Console
- Click the corresponding menu icon on the right side of the screen
- Select ON for everyone or ON for some organizations (to make it available only to certain users)
- Click the confirmation button
Create Google Project
A Google Project must be owned by a Google account.
- Go to the Google Developers Console
- Click the menu icon to the left of "Google APIs"
- Select IAM & Admin
- Select All Projects
- Click Create Project
- Assign a Project Name
- Click Create
Enable APIs and Create Client ID and Consent Screen
A Client ID must be created to identify your Google Project to our application. The Consent screen is what the users will see whenever you request access to their private data using your client ID. It will be shown for all applications registered in this project.
- On the Google APIs screen, select Library from the API Manager menu
- Under Google Apps APIs click Admin SDK
- On the Admin SDK Dashboard, click Enable
- Click Credentials in the panel on the left
- Select the OAuth consent screen tab
- Customize the consent screen that is presented to users whenever you request access
- Contact Email Address (required)
- Product name (required)
- Homepage URL (optional)
- Product logo URL (optional)
- Terms of service URL (optional)
- Click Save
- Click Create Credentials
- Select OAuth client ID
- Under Application type, select Web application
- Enter a different client ID Name, if desired
- Under Authorized redirect URIs, the address entered identifies the route where Google will send responses (ex., https://yourschool.org/api/sso/authresponse?format=html)
NOTE: It is recommended you include two versions: https://yourschool.myschoolapp.com/api/sso/authresponse?format=html) AND http://yourschool.org/api/sso/authresponse?format=html
- Click Create - Google will create the Client ID and Client Secret needed for the next set of steps
Set up School to integrate with Google Apps:
Information configured in Google must now be added to the Google integration settings in Core.
Update Client ID and Client Secret in App
- Log into your school as a Google Apps Manager
- Navigate to Core > Settings > Integration settings
- Select the Google Apps SSO tab
- Click the Edit button
- Mark the checkbox labeled, "Enable SSO Integration"
- Click Edit
NOTE: If the Google Apps SSO has been previously set up, then only the Client ID and Client Secret from the Google Project need to be pasted into the corresponding fields.
- Click Save
- Click Authenticate (one time only) to finalize