Setting up Google as an Authentication source for your Rocket/Web Filter will allow users to seamlessly sign on to their Chromebook devices and Google services with their Web Filter policies. GAFE Single Sign On (SSO) can be set up by following the steps below to configure Google as an authentication source.
Because of the way Google authentication works, it can be used for personal overrides, but not for the “teacher override” where the override is performed for another user.
Configuring a Google authentication source
Note: This procedure requires Lightspeed System Rocket release 2.7.0rc3 or later.
Configure the Google Web App
Note: This is an overview of the required steps to configure the app. For specific details, please refer to the Developers Console Help.
- 1. Log into Google as an administrator of your Google domain.
- 2. Navigate to https://console.developers.google.com
- 3. Create a new project. A project ID will be generated automatically.
- 4. Click to enable APIs, then select and enable Admin SDK and Google+ API.
- 5. Click Credentials and then add Oauth 2.0 client ID.
- 6. For the Application Type, select Web Application, then click Create.
- 7. In the Create Client ID form, fill in the Authorized redirect URL field with the publicly-available hostname of your Rocket, with an ending suffix of /auth/google_oauth2/callback (for example, http://example.com/auth/google_oauth2/callback).
Note: Redirect URLs must be HTTP and not HTTPS.
- 8. Make a note of the client ID and Client Secret.
- 9. Click OAuth Consent Screen, then enter the product name and click Save.
Parent/Child Server Configuration
If you have a parent/child setup, then you need to have an “AUTHORIZED REDIRECT URI” for the parent appliance as well as any other child appliance(s) that is handling web filtering. The redirect URL needs to publicly available for any appliance that will be used for Google Authentication.
This will complete setup of the Google web app.
Enable API Lookups for the Google Domain
- 1. Navigate to https://admin.google.com.
- 2. Click Security.
- 3. Click API reference.
- 4. Under API access check (select) Enable API access.
This will complete setup on the Google side.
Configure a Google Authentication Source on the Rocket Appliance
- 1. Log in to the Rocket.
- 2. Click Administration.
- 3. Scroll down to Authentication Sources.
- 4. Perform Steps a through g for every tier.
- a. Click Add Authentication Source.
- b. From the Type dropdown select Google Authentication.
- c. Enter a name, a friendly name, and the email domain (everything after the @ sign).
- d. Enter the Client ID and Client Secret you copied above.
- e. Select (check) Available to End Users.
- f. Click Save. You will be directed back to Google to give them permission to make API calls. Please note that all “scopes” (i.e., authentication information received from users) listed on this window are read-only.
You must be logged in as an administrator of your Google domain. Otherwise, it will look like everything was setup fine, however, the auth source just won’t work. A client accessing this will either get a 401 Unauthorized or 403 Forbidden when attempting to use the auth source.
Please note you must repeat these steps for each different domain that you have configured within Google. For example, if you have @Studentdomain.org and @Staffdomain.org domains they need to be setup as two different authentication sources, even if they are managed by a single Administration page, and a separate account with administration privileges in each domain will need to be used when configuring the authentication source.
If you use Google’s Admin SDK, from time to time your users may get HTTP 503 errors when they try to authenticate. This can happen when users try to authenticate and the Google Admin SDK’s query rate per day (QPD) of 150,000 requests per day has been exceeded. In addition, the QPD can also be exceeded in other circumstances.
To prevent this from occurring, you can set up billing. However, you can also configure a free Google Web Application in your Google domain and configure Google authentication on your Rocket.