Enable the Google Identity Provider

To let Member Users log in to Crystal with their Google credentials, the Admin User must first setup Google as an Identity Provider.

To do so, as an Admin, you must follow a process that involves both Google Cloud Platform and Crystal.

Please follow through this tutorial.

Step 1 - Create and configure a service account

First of all, you need to create a Google Service account with the correct privileges and domain-wide delegation.

1a) Create service account

1. login into your Google Cloud Platform. Be sure to select the correct project or create a dedicated one for Crystal

2. Select "APIs & Services", then "Credentials"

1. from the top menu, select "Create Credentials" → "Service Account"

1. choose a name for your service account and skip all the optional steps

Once you’ve done, you should see your new Service Account details.

1b) Configure the service account

In order to make the proper API calls, you need to enable workspace delegation and add a key to the Service Account:

1. go to "API and Services" → "Credentials"

2. select the Service Account you just created from the list under the “Service Accounts” section

1. under the details, check the “Enable Google workspace domain wide delegation” checkbox

1. in the “keys” tab, select "Add key" → "Create a new key"

1. save the downloaded file to a known location: you’ll be required to upload it later while configuring Crystal

1c) Enable Admin SDK API

In order to be capable of performing API calls to the Google Workspace Admin APIs and retrieve details about Users and Groups, you must:

1. browse APIs from "APIs & Services" → "Dashboard" on the main menu

1. click on "Enable APIs and services"

2. search for “Admin SDK”

1. select Admin SDK API

1. Enable the API (if it’s not yet enabled)

1d) Enable domain wide delegation

To authorise your Service Account to perform the specific tasks that we need, you must:

1. login into https://admin.google.com

2. go to "Security" → "API controls" (if you don’t see Security click before on “Other”)

1. scroll down until the domain wide delegation section and select “Manage domain wide delegation”

1. select “Add new” and fill-in the details. Client ID is your service account client id. You also need to add the following two OAuth scopes:

Step 2 - Create and configure the OAuth client ID

To enable the Login with Google feature, you need to create a web application

1. go again to "APIs & Services" → "Credentials"

2. click on "+ Create credentials"

3. select “OAuth client ID”

If you haven’t already, GCP will ask you to configure the consent screen

1. click on “configure consent screen"

2. select user type: Internal

3. click on "Create"

4. return to "APIs & Services" → "Credentials" and click on "+ Create credentials"

1. You can now proceed with the OAuth Client ID configuration. Fill the form with descriptive names. The most important thing is to add as Authorized redirect URI the crystal oauth2 redirect url

1. once you’ve created it, save the client id and client secret. You’ll need them to complete the IDP configuration on the crystal console in step3. You can either copy and paste them into a location of your choosing, or download the JSON file.

Step 3 - Configure the new IDP in the Crystal Console

The last step will be performed inside the Crystal Console:

1. from the Users Tab, under "Identity Provider", select "Add new IDP"

1. select Google Workspace as connection type

1. Fill-in the required fields with the correct values and upload the secret account key you downloaded in Step 1b

The inboxes refers to the OAuth2 Client (Step 2), the Secret Account key refers to the Service Account (Step 1).

Here’s an example of correct fields:

If the connection succeeds, you’ll be capable to invite Users from Google Workspace and enable the Login via Google credentials for them (and to easily create new groups).