Enable the Google Identity Provider
This page describes how to enable the Google IDP for the Login.
Last updated
Was this helpful?
This page describes how to enable the Google IDP for the Login.
Last updated
Was this helpful?
To let Member Users log in to Crystal with their Google credentials, the Admin User must first setup Google as an Identity Provider.
To do so, as an Admin, you must follow a process that involves both Google Cloud Platform and Crystal.
Please follow through this tutorial.
First of all, you need to create a Google Service account with the correct privileges and domain-wide delegation.
from the top menu, select "Create Credentials" → "Service Account"
choose a name for your service account and skip all the optional steps
Once you’ve done, you should see your new Service Account details.
In order to make the proper API calls, you need to enable workspace delegation and add a key to the Service Account:
select the Service Account you just created from the list under the “Service Accounts” section
under the details, check the “Enable Google workspace domain wide delegation” checkbox
in the “keys” tab, select "Add key" → "Create a new key"
save the downloaded file to a known location: you’ll be required to upload it later while configuring Crystal
In order to be capable of performing API calls to the Google Workspace Admin APIs and retrieve details about Users and Groups, you must:
browse APIs from "APIs & Services" → "Dashboard" on the main menu
click on "Enable APIs and services"
search for “Admin SDK”
select Admin SDK API
Enable the API (if it’s not yet enabled)
To authorise your Service Account to perform the specific tasks that we need, you must:
go to "Security" → "API controls" (if you don’t see Security click before on “Other”)
scroll down until the domain wide delegation section and select “Manage domain wide delegation”
select “Add new” and fill-in the details. Client ID is your service account client id. You also need to add the following two OAuth scopes:
To enable the Login with Google feature, you need to create a web application
go again to "APIs & Services" → "Credentials"
click on "+ Create credentials"
select “OAuth client ID”
If you haven’t already, GCP will ask you to configure the consent screen
click on “configure consent screen"
select user type: Internal
click on "Create"
return to "APIs & Services" → "Credentials" and click on "+ Create credentials"
You can now proceed with the OAuth Client ID configuration. Fill the form with descriptive names. The most important thing is to add as Authorized redirect URI the crystal oauth2 redirect url
once you’ve created it, save the client id and client secret. You’ll need them to complete the IDP configuration on the crystal console in step3. You can either copy and paste them into a location of your choosing, or download the JSON file.
The last step will be performed inside the Crystal Console:
from the Users Tab, under "Identity Provider", select "Add new IDP"
select Google Workspace as connection type
Fill-in the required fields with the correct values and upload the secret account key you downloaded in Step 1b
The inboxes refers to the OAuth2 Client (Step 2), the Secret Account key refers to the Service Account (Step 1).
Remember
Admin user: the email address of the admin user of your organization
Domain: the Google Workspace main domain of you organization
Client ID: the client id you copied in Step 2 (OAuth2 client ID)
Redirect URI: the redirect uri configured in Step 2 (OAuth2 client ID)
Secret value: the client secret you copied in Step 2 (OAuth2 client ID)
Here’s an example of correct fields:
Identity Providers can also be used to .
login into your . Be sure to select the correct project or create a dedicated one for Crystal
Select "APIs & Services", then
go to "API and Services" →
login into
If the connection succeeds, you’ll be capable to from Google Workspace and enable the Login via Google credentials for them (and to easily create ).
