If you are using certain Google Apps extensions (or the Enterprise version of Google Apps Login), you will need to set up a Service Account. This is an extra step on top of the regular setup (which you should have already followed based on the personalized instructions linked from your WordPress admin panel under Settings -> Google Apps Login – or you can see them here). The Service Account will allow your extension to make calls to Google APIs which require domain-wide permissions rather than just the permissions of the user who is currently logged in.
If in doubt about whether you need a Service Account or not, please just ignore for now, and you can come back later if you discover functionality is missing from your extension.
Please note that Service Account functionality appears to be no longer available for free gmail.com accounts – upgrading to a G Suite account is required.
It will be easiest if you activate your Google Apps extension first before following the steps below – although you can choose to set up a Service Account before those extensions are activated if you want.
Go back to WordPress’ admin page, and select Settings -> Google Apps Login from the left-hand menu. You should be on the Main Setup tab, and towards the bottom look for the Service Account settings.
There’s quite a lot of information displayed there (you should see less if you only have one extension that requires a Service Account) – but don’t be overwhelmed… It’s simply listing the permissions that the extension(s) require, to allow you to make an informed decision about installing them.
There are a few steps we need to take in order to complete the plugin settings.
Create a Service Account in Google Developers Console
Go to Google Developers Console and return to the project you created when you first configured the Google Apps Login plugin.
From the top-left menu select IAM & Admin. Click on Service Accounts on the left-hand side.
There should already be an existing service account for Compute Engine, but you can ignore that.
Click the blue Create service account button across the top.
In the box that pops up, enter a name of your choice in the Service Account Name box. This should lead to an auto-generated ‘Service account ID’ which you can leave intact. Ignore the ‘role’ dropdown.
Check Furnish a new private key. This will open up two further options, and you should leave JSON selected.
Check Enable G Suite Domain-wide Delegation.
When you click the blue Create button, you will be given a ‘JSON key file’. Its extension will be ‘.json’, and you should keep it safe for a future step in this process. You can click the ‘Close’ button in the box that tells you to keep the file safe.
While you’re in the Google Developers Console, you may want to enable further APIs under API Manager -> Overview, if you didn’t when you first set up the Google Apps Login plugin. Most extensions require the Admin SDK and Drive API to be enabled.
Note that if you need to obtain a completely new JSON file in the future (e.g. if the file contents become compromised) you would need to go to API Manager > Credentials. The above process automatically added a new ‘Service Account’ Client ID to your project, alongside the ‘Web Application’ Client ID that you created when you first configured Google Apps Login. The JSON file relates to this new client ID.
Upload JSON key file and Settings to WordPress
Go back to WordPress and the Main Settings tab of Settings -> Google Apps Login.
Under Service Account settings, click the Browse or Select File button (depending on your browser) next to Upload Service Account JSON file. Locate the json file that you just downloaded from Google Developers Console.
While you’re there, beneath that Browse/Select button simply enter the email address of any user who has Administrative rights in your Google Apps domain. That is quite likely to be your own email address! Enter that in A Google Apps Domain admin’s email.
Save changes, and check for any problems – especially in uploading the JSON file. If the JSON file has been accepted, the details of your Service Account should be displayed in the Service Account settings area. The information show should include the ‘Service Account Client ID / Name’ – in a yellow box so you can easily copy it to paste in the next step of these instructions.
Granting rights for your Service Account to access Groups or Drive etc
Finally, as a Google Apps domain administrator, you need to go to your regular Google Apps Domain admin console at admin.google.com (not the Google Developers Console this time).
There, go to Security -> Advanced Settings -> Manage API Client access (under Authentication).
On this page, you need to enter two fields: Client Name and API Scope.
The Client Name will be the Client ID of the Service Account you created earlier. E.g. 1234567890123456. You can copy this from the yellow box labelled ‘Service Account Client ID / Name’ in your WordPress settings page. (You would also be able to look it up from the Google Developers Console project page, within the Service Account you created earlier.)
In the box labelled ‘One or More API Scopes’ copy and paste the scopes list you can see in the other yellow box in the WordPress settings page. For the Enterprise Login plugin, the scopes required should be:
The Google Drive Embedder Enterprise version requires the scope
The Google Apps Directory extension requires the scope
If you have multiple extensions, the yellow box should contain a comma-separated list of all required scopes. For example, if you are using Google Drive Embedder Enterprise and Google Apps Login Enterprise, you will see the following that you need to copy and paste into the ‘One or More API Scopes’ box as one whole line:
https://www.googleapis.com/auth/admin.directory.group.readonly, https://www.googleapis.com/auth/admin.directory.user.readonly, https://www.googleapis.com/auth/drive
Now, your extensions should be able to use your Service Account to do their job. Any problems should be highlighted when those plugins attempt to do their jobs – so check any logs they may provide (e.g. Logs tab in settings for the Enterprise login plugin), or error messages they display on the screen.
Please do not hesitate to get in touch with us if you have any questions at all about Service Accounts or the Google Apps platform in general! Email firstname.lastname@example.org.