Setting up Google as an Authentication source for your Rocket/Web Filter will allow users to seamlessly sign on to their Chromebook devices and Google services with their Web Filter policies. GAFE Single Sign On (SSO) can be set up by following the steps below to configure Google as an authentication source.
The way Google authentication works it can be used for personal overrides but not the “teacher override” where the override is performed for another user.
Configuring a Google authentication source
Note: This procedure requires Lightspeed System Rocket release 2.7.0rc3 or later.
Configure the Google Web App
- 1. Log into Google as an administrator of your Google domain.
- 2. Navigate to https://cloud.google.com/console.
- 3. Click Go to my console.
- 4. Click Create Project.
- 4. Enter a project name.
- 5. A project ID will be generated automatically. As an option you can enter your own project ID.
- 6. Check (select) I have read and agree to all Terms of Service for the Google Cloud Platform products.
- 7. Click Create.
- 8. Click APIs & auth.
- 9. Click APIs.
- The following window to enable the Admin SDK APIs will be displayed.
- 10. Check (select) I have read and agree to both Google APIs Terms of Service and Google Apps Admin APIs Terms of Service.
- 11. Click Accept.
- 12. Click Credentials.
Make sure that your project has a product name under APIs & Auth -> Consent screen. If the name is missing, you will either see 'Error: disabled_client' or 'Error: invalid_client' when adding the authentication source.
- 13. Click Create New Client ID.
- 14. Check (select) Web Application.
Redirect URLs must be HTTP and not HTTPS.
- 15. In the Authorized redirect URL field enter the redirect URL. Please note that this URL must be the publicly-available hostname of your Rocket with an ending suffix of /auth/google_oauth2/callback (for example, http://your-rocket.com/auth/google_oauth2/callback).
Parent/Child Server Configuration
If you have a parent/child setup, then you need to have an “AUTHORIZED REDIRECT URI” for the parent appliance as well as any other child appliance(s) that is handling web filtering. The redirect URL needs to publicly available for any appliance that will be used for Google Authentication.
If you’re using NWOCA’s Lightspeed Rocket, you’ll need to enter the following URI’s in the URI box:
- 16. Click Create Client ID.
- 17. Copy the Client ID and Client Secret, which you will need when configuring the Google authentication source on the Rocket (described below).
This will complete setup of the Google web app.
Enable API Lookups for the Google Domain
- 1. Navigate to admin.google.com.
- 2. Click Security.
- 3. Click API reference.
- 4. Under API access check (select) Enable API access.
This will complete setup on the Google side.
Configure a Google Authentication Source on the Rocket Appliance
- 1. Log in to the Rocket.
- 2. Click Administration.
- 3. Scroll down to Authentication Sources.
- 4. Perform Steps a through g for every tier.
- a. Click Add Authentication Source.
- b. From the Type dropdown select Google Authentication.
- c. Enter a name, a friendly name, and the email domain (everything after the @ sign).
- d. Enter the Client ID and Client Secret you copied above.
- e. Select (check) Available to End Users.
- f. Click Save. You will be directed back to Google to give them permission to make API calls. Please note that all “scopes (i.e., authentication information received from users) listed on this window are read-only.
You must be logged in as an administrator of your Google domain. It will look like everything was setup fine, however, the auth source just won’t work. A client accessing this will either get a 401 Unauthorized or 403 Forbidden when attempting to use the auth source.
- g. Click Accept