The instructions on this page presume you have installed the Premium plugin and are now attempting to configure the plugin from the ‘Google Apps Login’ page under Settings in your WordPress admin area. We will guide you through registering your site with Google Developers Console (which you will need to do unless the plugin has already been able to pull the settings through from the free version of the plugin).
See video tutorial if you prefer.
The Google Apps domain admin needs to go to https://console.developers.google.com/ (link will open in a new window). If you are not the domain admin, you may still have permissions to use the console, so just try it. If you are not using Google Apps, then just use your regular Gmail account to access the console.
In the Google Developers Console, click Create Project, and in the box that appears enter any name of your choice (such as your website’s name) before clicking Create. You may be required to accept a verification phone call or SMS from Google.
Next, click into the new project, then click APIs & Auth in the left-hand menu, and select the Consent screen sub-menu. You must select an Email Address if one is not already selected. You must also enter your company or blog name in Product name. Optionally, you can add your logo and other URLs to customize what your users see when they first login.
Then you must create a new ‘Client ID’ within the project, of type ‘Web Application’. To create this, you need to click Credentials (another sub-menu of APIs & Auth), then click the blue Create New Client ID button. Make sure you select Web Application as the Platform type.
Beneath that, input the following items into your new Google ‘Client ID’:
https://mywpsite.com/ (your site URL)
- Authorized redirect URI:
https://mywpsite.com/wp-login.php (your site's login URL)
Once you have created the application (click the blue Create Client ID button), you need to turn to the Client ID for web application section to be able to complete the following steps.
You will see a Client ID and Client Secret which you must copy and paste into the boxes back on the WordPress plugin settings screen – i.e. back in your WordPress admin, under Settings -> Google Apps Login.
If you plan to use our Google Drive Embedder extension plugin, then you will also need to enable the ‘Drive API’ and ‘Calendar API’. To enable these, in the Google Developers Console, beneath APIs & Auth in the left-hand menu, click APIs. Under ‘Google Apps APIs’ (or by searching), locate each of Drive API and Calendar API and click into them so you can click the ‘Enable’ button. If you are using the Enterprise version of Google Apps Login, you will also need to enable Admin SDK.
All done! Save the settings in your WordPress admin, then try logging out. You should now see a ‘Login via Google’ button on your WordPress login page.
For certain extensions (Google Apps Directory, or the Enterprise version of Google Apps Login) you may also need to follow the instructions to set up a service account. If in doubt, please ignore for now.
Keep reading to understand how to make use of the premium features that automatically restrict access to users on your own Google Apps domain, including auto-creation of users.
For extra functionality in the Enterprise version of Google Apps Login, see here.
This section of the admin panel allows you to really harness the extra functionality available in the premium plugin – ensuring your Google Apps userbase is synced to corresponding WordPress user accounts.
If you leave everything in the Domain Control section blank, then any existing WordPress users with a Gmail or Google Apps email address will be able to use ‘Login with Google’ to login to WordPress. If they don’t have an account already set up, then of course they will not gain access. Alternatively, all WordPress users will be able to use their usernames and passwords to login as normal – and that includes Gmail/Google users who choose not to use the ‘Login with Google’ button.
But let’s say you want everyone with an email address on your Google Apps domain ‘example.com’ to be able to login to WordPress. The way to enforce this without having to set up every user in WordPress manually is to require everyone to Login with Google, and for the Google Apps Login plugin to auto-create accounts in WordPress for any example.com users who do not yet have accounts.
Enter your Google Apps domain name in the My Google Apps domain box – e.g. “example.com”. (Tip: if you have a couple of different domains in use, you can list them with a space inbetween, e.g. “example.com altdomain.com”)
Check the Auto-create new users on my domain checkbox.
For now, leave the second checkbox unticked (Disable WordPress username/password login for my domain).
For the Default role for new Google users dropdown, select a suitable role for any users auto-created via Google Login.
At this point, every valid example.com user has access to a WordPress account, as long as they use Login with Google to access it.
Once you are sure this aspect is working, read the details below to ensure that this is watertight. The problem now is that other unexpected users may also be able to gain access.
Restricting Unauthorized Access
To complete the setup described – where all users with email addresses on example.com should have access to WordPress, but no others should – we need to understand where these potential leaks could come from.
If your WordPress site has not been set up carefully, it may be possible for absolutely anyone on the internet to register for an account! Note this would have been the case even before you set up this Plugin.
To register, these people would go to http://example.com/wp-login.php?action=register or equivalent. To disable this, go in your WordPress admin panel to Settings -> General Settings -> Membership and uncheck Anyone can register.
On the same General Settings page, there will also be a New User Default Role dropdown. If you do want the general public to be able to register then this is the role they will get – you will normally want this at the lowest level of Subscriber. By contrast, users who are auto-created via Google Login will be given the role set separately in the Domain Control section of the Google Apps Login plugin settings, described above.
Another concern may be what happens if a user leaves the company. You will probably have a process to disable their Google Apps account, but do you have to remember to remove them from WordPress? If they are using Login with Google, then of course they will not be able to connect to WordPress if they cannot first get in to their Google account.
So that’s all fine unless they first set and learn the password for their WordPress account. That’s why the Google Apps Login plugin also has an option to ensure your example.com users cannot login to WordPress using a regular username and password.
Back in the WordPress admin panel, go to Settings -> Google Apps Login. The last checkbox is Disable WordPress username/password login for my domain, and you should set this once you are confident your regular Login with Google access is working fine. You could find yourself locked out of WordPress if you check this box before your plugin configuration is complete.
Please note that any existing WordPress sessions will still be accessible to the ex-employee until they expire – but the user will not be able to login again once sessions have expired.
You can also Completely hide WordPress username and password boxes to ensure there is no confusion for your employees as to how they should login. However, please note that it is still possible for any existing WordPress accounts to login (if they are not on your Google Apps domain). Those users can override the hiding of username/password boxes by going to the URL /wp-login.php?gahidewplogin=false.
Note that even after you have disabled new registrations for random visitors, and restricted auto-creation to your Google Apps domain as above, you may still have existing WordPress users who can access their accounts, and who are not on your Google Apps domain.
The ‘cleanest’ recommendation is to ensure that no such users exist. If you do have a reason to grant access to a non-Google Apps user, then of course just be aware of that and take care if they move on from your organization.
You and your users will be able to use Google Apps Login perfectly fine if you simply ignore the Advanced Options section. However, there are two options, plus an extra little trick, that will allow you to customize the exact login flow as you desire.
Force user to confirm Google permissions every time
If checked, users will have to fully authorize your site to Google every time they login. This may make the login flow clearer for users who are currently logged into exactly one Google account, and also gives them the chance to login to a different Google account instead. However, the login flow is quicker if you leave this unchecked.
Automatically redirect to Google from login page
If checked, all users will be automatically forwarded to the Google login flow when they access the /wp-login.php page. If your users only ever use ‘Login via Google’, this saves them having to click that button on the login page to initiate the process.
Login page redirect override
It is not a setting in itself, but a trick that you may use to override the behavior of the last setting described (i.e. Automatically redirect to Google from login page). Whether or not that setting is checked, you can send users to /wp-login.php?gaautologin=true to ensure the automatic redirect happens. Likewise, you can send users to /wp-login.php?gaautologin=false to ensure the full WordPress login form is displayed, giving them the choice of username/password or ‘Login via Google’, regardless of the Automatic redirect setting.
This can be useful if you want, for example, a link in your sidebar advertising the Google Login functionality as a direct link, without forcing it on all users at all times.
Display ‘Powered By wp-glogin.com’ on Login form
Uncheck this to remove the attribution link on your login page. Of course we are thrilled if you want to spread the word about our product, but it’s no problem if this is not appropriate for your site. It can also be useful for future admins of your site to understand immediately how you have implemented Login with Google, and to come to us for support.
By default, all logins need to be submitted via the root site (since that is the only Redirect URL you were asked to submit to Google Developers Console when you first set up the plugin). That should be fine to get you started, so please just try it out, but you may find that users are sometimes redirected to unexpected pages, depending on where on your network of sites they decided to login.
If have a small number of sub-sites, and new sub-sites are not expected to be added often, you might prefer to register additional Redirect URLs with Google for each of your sub-sites, in addition to the root site you were asked to enter when you first configured the plugin. For example, you may end up listing all of https://mywpsite.com/wp-login.php, https://mywpsite.com/subsite1/wp-login.php, and https://mywpsite.com/subsite2/wp-login.php as Redirect URLs in the Google Developers Console.
You will then need to check the box in the Multisite Options section of the plugin’s admin panel labelled Use sub-site specific callback from Google. This will cause all logins submitted to the sub-site they were invoked on.
In the Enterprise version of the plugin, you have much more granular control over users’ WordPress roles. You can create rules to map membership of Google Groups to different WordPress roles. You can also see logs of account changes. More information is here.