Service Account setup

If you are using certain Google Apps extensions (or the Enterprise version of Google Apps Login), you will need to set up a Service Account. This is an extra step on top of the regular setup (which you should have already followed based on the personalized instructions linked from your WordPress admin panel under Settings -> Google Apps Login – or you can see them here). The Service Account will allow your extension to make calls to Google APIs which require domain-wide permissions rather than just the permissions of the user who is currently logged in.

If in doubt about whether you need a Service Account or not, please just ignore for now, and you can come back later if you discover functionality is missing from your extension.

It will be easiest if you activate your Google Apps extension first before following the steps below – although you can choose to set up a Service Account before those extensions are activated if you want.

Go back to WordPress’ admin page, and select Settings -> Google Apps Login from the left-hand menu. You should be on the Main Setup tab, and towards the bottom look for the Service Account settings.

empty_service_account

There’s quite a lot of information displayed there (you should see less if you only have one extension that requires a Service Account) – but don’t be overwhelmed… It’s simply listing the permissions that the extension(s) require, to allow you to make an informed decision about installing them.

There are a few steps we need to take in order to complete the plugin settings.

Create a Service Account in Google Developers Console

Go to Google Developers Console and return to the project you created when you first configured the Google Apps Login plugin. Return to APIs & Auth -> Credentials, where you will have previously created a ‘Client ID for web application’.

We need to create a new Service Account:

Please proceed with the Google flow to set the name to this account, and give it access to manage your account:

After the creation you will need to open the newly created Service account:

You can see a Keys menu item at the top. On that screen please click the “ADD KEY” > “Create new key” button and pick the JSON type (which is highlighted as “Recommended”). After the file creation – it will be automatically downloaded to your computer. It has an extension .json, and you should keep it safe for a future step in this process. You can click the ‘Okay, got it’ box that tells you to keep the file safe.

You should see your new Service Account beneath your existing ‘Client ID for web application’. It should display a Client ID which you will need to use later.

While you’re in the Google Developers Console, you may want to enable further APIs under APIs & Auth -> APIs, if you didn’t when you first set up the Google Apps Login plugin. Most extensions require the Admin SDK to be enabled.

Upload JSON key file and Settings to WordPress

Go back to WordPress and the Main Settings tab of Settings -> Google Apps Login.

Under Service Account settings, click the Browse or Select File button (depending on your browser) next to Upload Service Account JSON file. Locate the json file that you just downloaded from Google Developers Console.

While you’re there, beneath that Browse/Select button simply enter the email address of any user who has Administrative rights in your Google Apps domain. That is quite likely to be your own email address! Enter that in A Google Apps Domain admin’s email.

Save changes, and check for any problems – especially in uploading the JSON file. If the JSON file has been accepted, the details of your Service Account should be displayed in the Service Account settings area.

Granting rights for your Service Account to access Groups or Drive etc

Finally, as a Google Apps domain administrator, you need to go to your regular Google Apps Domain admin console at admin.google.com (not the Google Developers Console this time).

There please find a Security menu item in the left sidebar. If you don’t see it – click the “Show more” button to reveal all menu items.

There, go to Security -> Access and data control -> API controls. There is a “Domain-wide delegation” section, with a “MANAGE” link. After clicking this link, you will see a list of API Clients – which may be empty if you started anew. Click the “Add new” button:

You need to enter two fields: Client ID and API Scope.