Setting Up a Google Authentication Source
Setting up Google as an Authentication source for your Web Filter will allow users to seamlessly sign on to their Chromebook devices and Google services with their Web Filter policies.
To enable Google Single Sign On, follow these steps to configure Google as an authentication source.
Note: Because of the way Google authentication works, it can be used for personal overrides, but not for the “teacher override” where the override is performed for another user.
- 1. Log into Google as an administrator of your Google domain.
- 2. Navigate to https://console.developers.google.com
- 3. In the upper left, just after “Google APIs” there is a Project dropdown menu. Select the option to create a new project. A project ID will be generated automatically.
- 4. From the Library tab, search for and enable Admin SDK and Google+ API.
- 5. Click OAuth Consent Screen, then enter the product name and click Save. The product name should reflect functionality (ex. Web Filter Authentication.)
Note: Do not use the word “Google” in your Product Name, as it will cause an error.
- 6. From the credentials screen, click Credentials and then add an Oauth 2.0 client ID.
- 7. Next, choose the Credentials tab. For the Application Type, select Web Application.
- 8. Give it a name. In the Create Client ID form, fill in the Authorized redirect URI field with the publicly-available hostname of your Rocket, with an ending suffix of /auth/google_oauth2/callback. Save the credential by clicking Create.
Example: http://southernacademy.org/auth/google_oauth2/callback). Click Create.
Troubleshooting Unable to redirect URI? Check your Google Developers Console and navigate to the project created for the Google authentication source. In that project, there should be a redirect URI (http://(rocketFQDN)/auth/google_oauth2/callback). Copy that url and create a new redirect URI, saving it as https. That way, you will have both an http and https callbacks. Once complete, please resave the Google authentication source in the Rocket.
- 9. Make a note of the Client ID and Client Secret.
If you have a Cluster
setup, then you need to have an “AUTHORIZED REDIRECT URL” for the Master appliance (running Web Filter 3) that handles web filtering for any appliance that will be used for Google Authentication
Note: This is an overview of the required steps to configure the app. For specific details, please refer to the Developers Console Help.
- 1. Navigate to https://admin.google.com.
- 2. Click Security.
- 3. Click API reference.
- 4. Under API access, select (check) Enable API access.
Configure a Google Authentication Source on the Rocket Appliance
- 1. Log in to the Rocket.
- 2. Click Administration.
- 3. Scroll down to Authentication Sources.
- 4. Perform Steps a through g for every tier.
- a. Click Add Authentication Source.
- b. From the Type dropdown select Google Authentication.
- c. Enter a name, a friendly name, and the email domain (everything after the @ sign).
- d. Enter the Client ID and Client Secret you copied above.
- e. Select (check) Available to End Users.
- f. Click Save. You will be directed back to Google to give them permission to make API calls. Please note that all “scopes” (i.e., authentication information received from users) listed on this window are read-only.
You must be logged in as an administrator of your Google domain. Otherwise, it will look like everything was setup fine, however, the auth source just won’t work. A client accessing this will either get a 401 Unauthorized or 403 Forbidden when attempting to use the auth source.
Please note you must repeat these steps for each different domain that you have configured within Google. For example, if you have @Studentdomain.org and @Staffdomain.org domains they need to be setup as two different authentication sources, even if they are managed by a single Administration page, and a separate account with administration privileges in each domain will need to be used when configuring the authentication source.
If you use Google’s Admin SDK, from time to time your users may get HTTP 503 errors when they try to authenticate. This can happen when users try to authenticate and the Google Admin SDK’s query rate per day (QPD) of 150,000 requests per day has been exceeded. In addition, the QPD can also be exceeded in other circumstances.
To prevent this from occurring, you can set up billing. However, you can also configure a free Google Web Application in your Google domain and configure Google authentication on your Rocket.