# Enable the Google Identity Provider

Login with Google IDP

To let Member Users log in to Crystal with their Google credentials, the Admin User must first setup Google as an Identity Provider. To do so, as an Admin, you must follow a process that involves both **Google Cloud Platform** and **Crystal**. Please follow through this tutorial. {% hint style="info" %} **Please Note** Identity Providers can also be used to [*create new Groups*](/crystal-console/users/user-groups.md). {% endhint %} ## Step 1 - Create and configure a service account First of all, you need to create a Google Service account with the correct privileges and domain-wide delegation. #### 1a) Create service account 1. login into your [Google Cloud Platform](https://console.cloud.google.com/welcome/new). Be sure to select the correct project or create a dedicated one for Crystal 2. Select *"APIs & Services"*, then [*"Credentials"*](https://console.cloud.google.com/apis/credentials)
3. from the top menu, select *"Create Credentials"* → *"Service Account"*
4. choose a name for your service account and skip all the optional steps
Once you’ve done, you should see your new Service Account details. #### 1b) Configure the service account In order to make the proper API calls, you need to enable *workspace delegation* and add a *key* to the Service Account: 1. go to *"API and Services*" → [*"Credentials"*](https://console.cloud.google.com/apis/credentials) 2. select the Service Account you just created from the list under the “Service Accounts” section
3. under the details, check the *“Enable Google workspace domain wide delegation”* checkbox
4. in the *“keys”* tab, select *"Add key"* → *"Create a new key"*
5. save the downloaded file to a known location: you’ll be required to upload it later while configuring Crystal #### 1c) Enable Admin SDK API In order to be capable of performing API calls to the Google Workspace Admin APIs and retrieve details about Users and Groups, you must: 1. browse APIs from *"APIs & Services"* → "*Dashboard"* on the main menu
2. click on *"Enable APIs and services"* 3. search for *“Admin SDK”*
4. select Admin SDK API
5. Enable the API (if it’s not yet enabled)
#### 1d) Enable domain wide delegation To authorise your Service Account to perform the specific tasks that we need, you must: 1. login into 2. go to *"Security"* → *"API controls"* (if you don’t see Security click before on *“Other”*)
3. scroll down until the domain wide delegation section and select *“Manage domain wide delegation”*
4. select “Add new” and fill-in the details. Client ID is your service account client id. You also need to add the following two OAuth scopes: $$ $$ $$ $$
## Step 2 - Create and configure the OAuth client ID To enable the Login with Google feature, you need to create a web application 1. go again to *"APIs & Services"* → *"Credentials"* 2. click on *"+ Create credentials"* 3. select *“OAuth client ID”*
If you haven’t already, GCP will ask you to configure the consent screen 1. click on *“configure consent screen"* 2. select user type: Internal 3. click on *"Create"* 4. return to *"APIs & Services"* → *"Credentials"* and click on *"+ Create credentials"*
5. You can now proceed with the OAuth Client ID configuration. Fill the form with descriptive names. The most important thing is to add as Authorized redirect URI the crystal oauth2 redirect url $$ https\://{tenant-name}.crystal.{ai}/login-manager/login/google/complete $$ {% hint style="info" %} Replace *{tenant-name}* with the name of the domain you’ve chosen for your Crystal Project {% endhint %}
6. once you’ve created it, save the **client id** and **client secret**. You’ll need them to complete the IDP configuration on the crystal console in step3. You can either copy and paste them into a location of your choosing, or download the JSON file.
## Step 3 - Configure the new IDP in the Crystal Console The last step will be performed inside the Crystal Console: 1. from the Users Tab, under *"Identity Provider"*, select *"Add new IDP"*
2. select Google Workspace as connection type
3. Fill-in the required fields with the correct values and upload the secret account key you downloaded in **Step 1b** The inboxes refers to the OAuth2 Client (**Step 2**), the Secret Account key refers to the Service Account (**Step 1**). {% hint style="warning" %} **Remember** * **Admin user**: the email address of the admin user of your organization * **Domain**: the Google Workspace main domain of you organization * **Client ID**: the client id you copied in Step 2 (OAuth2 client ID) * **Redirect URI**: the redirect uri configured in Step 2 (OAuth2 client ID) * **Secret value**: the client secret you copied in Step 2 (OAuth2 client ID) {% endhint %} Here’s an example of correct fields:
If the connection succeeds, you’ll be capable to [invite Users](/crystal-console/users/invite-users-to-crystal/invite-users-via-identity-providers.md) from Google Workspace and *enable the Login via Google credentials for them* (and to easily create [new groups](/crystal-console/users/user-groups.md)). *** --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.igenius.ai/crystal-console/users/invite-users-to-crystal/invite-users-via-identity-providers/enable-the-google-identity-provider.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.