If you are using certain Google Apps extensions (or the Enterprise version of Google Apps Login), you will need to set up a Service Account. This is an extra step on top of the regular setup (which you should have already followed based on the personalized instructions linked from your WordPress admin panel under Settings -> Google Apps Login – or you can see them here). The Service Account will allow your extension to make calls to Google APIs which require domain-wide permissions rather than just the permissions of the user who is currently logged in.
If in doubt about whether you need a Service Account or not, please just ignore for now, and you can come back later if you discover functionality is missing from your extension.
It will be easiest if you activate your Google Apps extension first before following the steps below – although you can choose to set up a Service Account before those extensions are activated if you want.
Go back to WordPress’ admin page, and select Settings -> Google Apps Login from the left-hand menu. You should be on the Main Setup tab, and towards the bottom look for the Service Account settings.
There’s quite a lot of information displayed there (you should see less if you only have one extension that requires a Service Account) – but don’t be overwhelmed… It’s simply listing the permissions that the extension(s) require, to allow you to make an informed decision about installing them.
There are a few steps we need to take in order to complete the plugin settings.
Create a Service Account in Google Developers Console
Go to Google Developers Console and return to the project you created when you first configured the Google Apps Login plugin. Return to APIs & Auth -> Credentials, where you will have previously created a ‘Client ID for web application’.
We need to create another Client ID, but this time of type Service Account.
Click Create New Client ID and select Service Account from the list. Leave JSON Key selected.
When you click Create Client ID at the bottom of the dialog box, you will be given a ‘JSON key file’. Its extension will be ‘.json’, and you should keep it safe for a future step in this process. You can click the ‘Okay, got it’ box that tells you to keep the file safe.
You should see your new Service Account beneath your existing ‘Client ID for web application’. It should display a Client ID which you will need to use later too.
While you’re in the Google Developers Console, you may want to enable further APIs under APIs & Auth -> APIs, if you didn’t when you first setup the Google Apps Login plugin. Most extensions require the Admin SDK to be enabled.
Upload JSON key file and Settings to WordPress
Go back to WordPress and the Main Settings tab of Settings -> Google Apps Login.
Under Service Account settings, click the Browse or Select File button (depending on your browser) next to Upload Service Account JSON file. Locate the json file that you just downloaded from Google Developers Console.
While you’re there, beneath that Browse/Select button simply enter the email address of any user who has Administrative rights in your Google Apps domain. That is quite likely to be your own email address! Enter that in A Google Apps Domain admin’s email.
Save changes, and check for any problems – especially in uploading the JSON file. If the JSON file has been accepted, the details of your Service Account should be displayed in the Service Account settings area.
Granting rights for your Service Account to access Groups or Drive etc
Finally, as a Google Apps domain administrator, you need to go to your regular Google Apps Domain admin console at admin.google.com (not the Google Developers Console this time).
There, go to Security -> Advanced Settings -> Manage API Client access (under Authentication).
On this page, you need to enter two fields: Client Name and API Scope.
The Client Name will be the Client ID of the Service Account you created earlier. E.g. 1234567890-bc1tud1cvim4c7q7sdg346q1l3scrhbcg.apps.googleusercontent.com
. You can copy this from the Google Developers Console project page, from the Service Account section you created earlier.
In the box labeled ‘One or More API Scopes’ copy and paste the scopes list you can see in the yellow box in the WordPress settings page. For the Enterprise Login plugin, the scopes required should be only: https://www.googleapis.com/auth/admin.directory.group.readonly
.
The Google Drive Embedder Enterprise version requires the scope https://www.googleapis.com/auth/drive
.
The Google Apps Directory extension requires the scope https://www.googleapis.com/auth/admin.directory.user.readonly
.
If you have multiple extensions, the yellow box should contain a comma-separated list of all required scopes. For example, if you are using Google Drive Embedder Enterprise and Google Apps Login Enterprise, you will see the following that you need to copy and paste into the ‘One or More API Scopes’ box as one whole line:
https://www.googleapis.com/auth/admin.directory.group.readonly, https://www.googleapis.com/auth/drive
Click Authorize.
Conclusion
Now, your extensions should be able to use your Service Account to do their job. Any problems should be highlighted when those plugins attempt to do their jobs – so check any logs they may provide (e.g. Logs tab in settings for the Enterprise login plugin), or error messages they display on the screen.
Please do not hesitate to get in touch with us if you have any questions at all about Service Accounts or the Google Apps platform in general! Email us.