Google Workspace can serve as the service provider to third-party identity providers (Peerdom, in this case). More details can be found here: https://support.google.com/a/answer/60224?hl=en
Check this 2 minute video, or continue reading below.
What to do
Write down your Google Domain
We will need your Google Domain to activate SSO authentication. The domain is usually the part after the @ in your email. For example, in: john.doe@myorganisation.org myorganisation.org is the domain we are looking for.
If you are unsure, you can check the Google Workspace admin to see what domains are available in your Google Workspace.
Enable Domain-wide delegation for the Peerdom service account
- Visit the Google Admin: https://admin.google.com
- Navigate to the Security > API Controls section and then click MANAGE DOMAIN WIDE DELEGATION under Domain wide delegation.
- Add a new API client:
If you would like to restrict access to Peerdom to certain groups, you can also add a second OAuth Scope: https://www.googleapis.com/auth/admin.directory.group.readonly
Prepare admin user email
We will need you to add an admin user email that will be used for impersonation by the service account.
Only users with access to the Admin APIs can access the Admin SDK Directory API, therefore your service account needs to impersonate one of those users to access the Admin SDK Directory API. Additionally, the user must have logged in at least once and accepted the Google Workspace Terms of Service.
This account will only be able to perform actions that are defined by the scopes you assigned in Step 2. That is, this account will only be able to read user data and if you supplied the group scope, read groups data.
(Optional) Create a group to define peer synchronisation
Your Peerdom directory will stay up to date with the current names and email addresses defined in your Google Workspace. If you wish to restrict access and synchronisation with Peerdom to certain people from the Workspace database, you will need to create a group with the users you’d like to synchronise and write down the Group ID.
(Optional) Create a group to restrict logins
By default, Peerdom will accept all log in attempts from your top-level domain. To restrict log in access to a particular group of users, you must create a new group, add the users you’d like to give log in access to Peerdom, and write down the Group ID. This group (GroupID) may be the same you created in step 4 for peer synchronisation, but it can also differ if you’d like to control logging in and synchronisation separately.
- Google domain
- Admin email address from within the Google Workspace domain the service account would be impersonating this user to retrieve the data (peer names, email addresses, images)
- Enable synchronisation: yes/no
- If yes: #5, #6, #7 are optional
- If no: #5, #6, #7 do not apply
- (Optional) Group ID for SSO log in accounts. If no group is provided, all users from your domain are able to log into Peerdom.
- (Optional) Group ID for peer synchronisation. If no group is provided, we will synchronise all users from the domain. It can be same or different as #4
- (Optional) Image synchronisation: yes/no
- Yes: synchronise images from Google workspace
- No: images are uploaded and managed in Peerdom
- (Optional) Default access rights. When you add a new colleague to your Google Workspace, a new peer will be created in Peerdom. We need to know what access rights to give them by default.
- Member: View content
- Editor: Edit content, invite/add/remove other peers
- Owner: Edit content, invite/add/remove, administer access rights
Once we receive this information, we will connect your Google Workspace to Peerdom and confirm the success of this syncing operation. Reach out to the person of contact, or send it to [our support](mailto:support@peerdom.org).