Configuring Google Workspace OAuth and Service Account

Configuring Google Workspace

In this tutorial, we will guide you through the process of setting up Solar Archive email archive systems with Google Workspace. We'll cover two main features: Single Sign-On (SSO) with Two-Factor Authentication (2FA) support using OAuth and IMAP setup for Mailbox Reader/Folder Rep/Mail Restore, utilizing a Google Service Account to access user mailboxes.

Step 1: Creating a Google API Project

  1. Go to the Google API Console by clicking this link: Google API Console.

  2. Create a new project or add an existing one and associate it with your Workspace domain. This project will be used to manage the API settings and credentials for Solar Archive.

  3. Once the project is created or selected, all subsequent configurations will be done within this project.

  1. In the Google API Console, navigate to the "Credentials" section.

  2. Click on "OAuth consent screen" from the left sidebar to configure the Consent Screen settings.

  3. Create a new Consent Screen and specify the necessary information, such as the App name, User support email, User Type (Use Internal) and Developer contact information. (It is just details to display on a consent screen - so enter any details that seem reasonable. It is non-binding, non-critical, display only information to displays when an end user tries to use the 'app'.)

  4. Customize the Consent Screen as needed to provide a clear and user-friendly experience for your users during the OAuth login process.

  5. Save the changes to the Consent Screen.

Step 3: Set up Google OAuth / Solar Archive SSO

  1. In the "Credentials" section of the Google API Console, click on "Create Credentials" and select "OAuth client ID".

  2. Choose the "Web application" option as the application type.

  3. Enter a name for your OAuth client, and in the "Authorized redirect URIs" field, specify the redirect URL provided by Solar Archive. You can find this in (Solar Archive “SSO OAuth” panel)

  4. Click "Create" to generate the Client ID and secret values for the OAuth Client.

  5. We can now complete the Solar Archive settings as follows:

    Authorization URL:

    https://accounts.google.com/o/oauth2/v2/auth

    Access Token URL:

    https://oauth2.googleapis.com/token

    User Detail URL:

    https://www.googleapis.com/oauth2/v1/userinfo

    Please Note these values can be obtained from this link: https://accounts.google.com/.well-known/openid-configuration User Detail Attributes*

    Username:

    email

    Mail:

    email

    Firstname:

    given_name

    Lastname:

    family_name

    Secondary Addresses:

    email

    * NOTE: This set of Attributes will be pre-filled (or hidden) if the “Provider Type” is set to the (recently added) Google

  1. Access your Google Workspace administration area (admin.google.com) as an administrator.

  2. In the admin console, navigate to "Security" and then "API controls".

  3. Click on "Manage third-party app access" to add the OAuth Client ID to the list of allowed apps.

  4. Click "Add app" and select "OAuth App Name or Client ID".

  5. Enter the Client ID obtained from the Google API Console and click "Select" to add the app.

  6. Review and confirm the authorization to grant access to the Solar Archive app with the specified Client ID.

Step 5: Integrate Solar Archive Login Page

After completing the previous steps, the Solar Archive login page will automatically display an additional "Login With [OAuth connection name]" button, where the connection name corresponds to the OAuth Client name.

Step 6: Set up Google Service Account for IMAP / Mailbox Reader

  1. Go back to the Google API Console and click on "Create Credentials".

  2. Select "Service Account" and provide a name for your Service Account.

  3. Assign the required role to the Service Account, such as "Project" > "Editor" to grant access to user mailboxes.

  4. Click "Continue" and then "Create Key".

  5. Choose the key type as JSON and click "Create" to obtain the JSON key file containing authentication details for the Service Account.

Step 7: Configure Solar Archive Settings

  1. Log in to Solar Archive as an administrator.

  2. Navigate to "Advanced Configuration" > "SSO - OAuth" panel.

  3. Click "Create New Connection" and select the Provider Type as "OpenID Connect".

  4. Enter a meaningful Connection Name and choose "Web application" as the type.

  5. Paste the complete text of the JSON key file into the appropriate field.

  6. Save the connection to complete the setup.

  1. Go back to your Google Workspace admin console.

  2. Navigate to "Security" > "API controls" > "Domain-Wide Delegation".

  3. Click "Add new" and paste the Client ID (Unique ID) obtained from the Google API Console.

  4. Specify the necessary "OAuth scopes" (e.g., https://mail.google.com, Email, Profile) that the Service Account requires access to.

  5. Click "Authorize" to grant the required permissions to the Service Account.

  6. The Service Account is now successfully linked to your Workspace and has access to user mailbox data.

Last updated