One of the key features of Webdashboard is that you can let everyone login to Webdashboard. With no difference to customers, suppliers, the CEO or a cashier. This is enabled by multiple ways:
- You can invite everyone with an e-mail address, to get an Webdashboard account
- You can connect your own user management system to Webdashboard, this includes EntraID and Google Workspace. This way you have Single SignOn and the same username and password you use in other environments.
- What benefits you have connecting Webdashboard to your Google Workspace.
- How you connect Google Workspace to Webdashboard.
- How Webdashboard you add Google Workspace users to Webdashboard.
Benefits connecting Google Workspace
By setting up federation with Google, you can allow invited users to sign in to Webdashboard with their own Gmail accounts. On the Sign in page, a user can simply enter the email they use to sign in to Google Workspaces. After clicking next they will see the familiar google signin page. After signing in they are logged into Webdashboard. When already signed in to you Google Workspace account, step 2 will not be visible to the user.
Federating your Google Workspace
There are 2 main parts that have to be configured for the Google Workspace Federation. You need to enable the required services and create a project that gives Webdashboard consent to Federate with your Workspace domain.
Part 1: Enable the required services
Browse to your Google Admin Panel, make sure you login with an administrator account https://admin.google.com. The open the “Additional Google services” page that is located under Apps.
Now enable “Developer Platform” and “Google Cloud Platform” for everyone.
Figure 6 - Enable "Developer Platform" and "Google Cloud Platform"
Part 2: Create a project
This is done in the Google Cloud Platform you just enabled. Navigate to https://console.cloud.google.com/cloud-resource-manager to create the new project, make sure you connect this project to you Google Workspace organisation.
Now we have a project we need to configure:
- Enable API’s the project can use,
Here the API’s the project can call are enabled.
- Consent screen,
Here you can configure your company information everyone that logs in through this project will see and to what scopes the user has to give consent to use
the project. - OAuth client,
Here we generate the Client ID and Secret Webdashboard will use to connect to your Google Workspace.
- Service account,
This is the account with which Webdashboard will use the project.
- Workspace Security,
Connect the project to your Workspace
Enable API’s
Browse to the dashboard https://console.cloud.google.com/apis/dashboard and select ‘Enable APIs and Services’. Here search for the ‘ADMIN SDK API’ and enable it.
Figure 9 - Select 'Enable APIs and services'
Figure 10 - Search for the ADMIN SDK API
Figure 11 - Enable the API
Consent screen
Navigate to https://console.cloud.google.com/apis/credentials, make sure you have the correct project selected. Then configure the consent screen with User Type “Internal”.
Now there are 2 steps, the ‘OAuth consent screen’, this is where you can provide your logo and name, to make the logon screen familiar to your users. Then the scopes, select ‘.../auth/userinfo.email’, ‘.../auth/userinfo.profile’ and ‘openid’. Then Save and Continue in the summary.
OAuth client
We navigate back to the Credential page in Google Cloud Platform. Het we click ‘Create Credentials’ -> ‘Oauth client ID’. Then we need to configure this OAuth Client as a ‘Web application’ with the name ‘Webdashboard’. The ‘Authorised redirect URIs’ are vital.
- https://backend.webdashboard.com/api/Authentication/GoogleWorkspace
- https://devapi.webdashboard.com/api/Authentication/GoogleWorkspace
When you created this OAuth client ID, make sure you save the Client ID and Client Secret for later use.
Service Account
First create the account. Navigate back to the credentials page https://console.cloud.google.com/apis/credentials and select ‘Create Credentials’ -> ‘Service Account’.
Then under ‘Service Account details’ make clear this is for Webdashboard and under ‘Grant this service account access to the project’ choose ‘Viewer’ under ‘Basic’.
Leave the other field blank and click done.
Now we need the Service Accounts Email / Unique ID and Key. For this click on your newly created Service Account. The Email and Unique ID are on the first page. Save them for later use. Now click on the Keys tab, select ‘Add Key’ -> ‘Create new key’ and download the JSON. Save this JSON for later use.
Google Workspace Security
Now we configured the API’s, by which account and what the scopes are, we need to connect this to your specific Google Workspace. Open the Admin panel https://admin.google.com click security click on ‘API Controls’.
On this page under ‘Domain-wide delegation’ select ‘Manage Domain-wide delegation’. Click Add New.
Here you fill in the ‘Unique ID’ from your security account (figure 24) and add the following scopes and click ‘Authorize’:
https://www.googleapis.com/auth/admin.directory.group.readonly
https://www.googleapis.com/auth/admin.directory.user.readonly
Figure 28 – User you Service Account unique ID and
https://www.googleapis.com/auth/admin.directory.group.readonly
https://www.googleapis.com/auth/admin.directory.user.readonly
as a scopes
Service account user
Now all settings are done, we only need a user account to actually read data from your workspace. We are going to create a user that will act as an service account. The rights this user will need are: Groups Admin
You will need to add this account in Webdashboard connect to google workspace setup screen.
Open the Admin panel https://admin.google.com under Users click on ‘Add a user’.
Figure 30 – Add new user
In the popup add a user we called it “serviceaccount” and click on add new user. Save the email we will need it later.
Figure 31 – Add new user popup.
Now we need to assign the role Groups Admin to the newly added user.
Browse to the new user and click on Assign roles.
Figure 32 – Assign roles to user.
Toggle the Group Admin switch to on and save.
Figure 32 – Assign group admin role to the serviceaccount
Connect in webdashboard
In the previous steps you saved some data we need to connect in webdashboard.
- Credentials json
- OAuth Client Id
- Client Secret
- Service Account (new user)
- Project name
Make sure you got al those values, if you miss one go some steps back to get the right information. Navigate to Settings -> Identity providers and select the Google Workspace Tab. Now choose to add a new provider. Upload the json and complete the rest of the form and press “connect google”
After its connected you should see a green sign and the window will close.
Congratulations Webdashboard and Google workspace are now connected!