Contents x
    G Suite
    • 3 Minutes to read
    • Print
    • PDF
    Contents

    G Suite

    • 3 Minutes to read
    • Print
    • PDF
    Article summary

    About this document

    This document provides the step-by-step procedure to onboard a G Suite asset in SAFE.

    Important

    Some steps while authenticating SAFE are needed to be performed by the SAFE support team. Please get in touch with the SAFE support team to assist you in adding G Suite assets to SAFE.

    Note
    G Suite assessment through SAFE requires a session to be set as “session never expires”. Refer to https://support.google.com/a/answer/9368756?hl=en&ref_topic=7558662

    Prerequisite

    To onboard a G Suite asset in SAFE you need the following privileges:

    • Users must have the SAFE Admin Role.
    • User must have the Admin Role in the GCP console.

    Supported G Suite Editions

    • G Suite Basic (Standard)
    • G Suite for Enterprise
    • G Suite for Business / Identity Cloud

    Onboard G suite Asset in SAFE

    1. Set up Google Cloud Project (GCP)

    1. To set up a new project in the Google APIs Console, Navigate to the https://code.google.com/apis/console. Make sure that you are logged in as a G Suite user. 
    2. If there is no project is exists, click the Create Project button.
      1
    3. Enter the Project name.
    4. Browse and select a Location and Organization.
    5. Click the Create button. You will be redirected to the created project dashboard. If not, click the notification icon on the top-right of the page and select the project.
      2
    6. Click the options menu, and navigate to APIs & Services > Dashboard.
      4
    7. On the dashboard, click the Enable APIs and Services button to enable the Admin SDK API that is needed to perform the assessment.
      5
    8. Search for Admin SDK APIs and click it from the search result.
    9. Click the Enable button to enable the Admin SDK API. Once the API is enabled, we need to configure the scopes and generate credentials.
      7
    10. Navigate to APIs & Services > OAuth consent screen.
    11. Select the User Type - Internal
    12. Click the Create button.
      8(1)
    13. On the OAuth Consent Screen, select the Application type - Internal, and enter the Application name
    14. Select the support email from the drop-down list of mail addresses (prefer using your G Suite super admin email).
      9
    15. Add scopes for the Google APIs if any additional APIs are required for accessing any private data that is needed by clicking on Add scopes button. Before you add API scopes make sure those APIs are enabled for the Google Cloud Project under the library section of APIs & Services other than pre-defined scopes or left the scopes section untouched.
    16. Scopes for current assessment:
      1. https://www.googleapis.com/auth/admin.directory.group.readonly
      2. https://www.googleapis.com/auth/admin.directory.group.member.readonly
      3. https://www.googleapis.com/auth/admin.directory.user.readonly
      4. https://www.googleapis.com/auth/admin.directory.domain.readonly11
    17. Configure the Authorized domain field by specifying your domain name.
    18. Click the Save button.
      12
    19. If any future changes are required for OAuth Consent Screen, Click the Edit App button. If no change is required, skip this step.
      13
    20. Configure the OAuth Client ID and Secret in order to create and modify resources on behalf of the user by including users' tokens to make Requests through APIs. Generating an OAuth 2.0 token is a three-legged process.

    2. Get client ID and client secret

    1. On the Developers Console, go to the project and navigate to APIs & Services > Credentials.
      14
    2. Click the + Create Credentials button, and select the OAuth client ID from the dropdown list.
      15
    3. On the Create OAuth client ID page, select the Application type - Desktop app and enter the name for OAuth Client ID.
    4. Click the Create button.
      16
    5. Copy the Client ID and secret and save it for further usage.
      17
    6. At any time, users can navigate to a particular Client ID under the OAuth 2.0 Client IDs section of credentials. Navigate as APIs & Services > Credentials > Oauth 2.0Client IDs to reset the credentials after the API authorization/refresh token is expired.

    3. Authorize scopes

    You first need to add the Client ID to domain-wide delegation to enable the assessment. To enable it:

    1. Go to the Google Admin console dashboard  > Security  > Advanced Settings.
      19
    2. Under the Domain-wide delegation panel, click the Manage Domain-wide Delegation.
      20
    3. Click the Add new and add your client id and respective scopes separated by commas
    4. Click the Authorize button.
    5. Scopes for current assessment: 
      1. https://www.googleapis.com/auth/admin.directory.group.readonly
      2. https://www.googleapis.com/auth/admin.directory.group.member.readonly
      3. https://www.googleapis.com/auth/admin.directory.user.readonly
      4. https://www.googleapis.com/auth/admin.directory.domain.readonly22

    4. Add G Suite asset in SAFE

    Once you have the Client ID and Secret, you can now add the G Suite asset in SAFE. 

    1. Log in to SAFE and navigate to the Manage Assets page.
    2. Click the Add Asset button available for Cloud SaaS Applications.
      23
    3. Select the Asset Type - G Suite from the drop-down.
    4. Enter the Asset Name, Owner, Location, and other details.
    5. Enter the Client ID and Client Secret.24
    6. Click SubmitThe G Suite Asset will be available under the Cloud SaaS Applications vertical.

    5. Authenticate SAFE 

    Important
    Raise a service request by logging a ticket to the SAFE support team to authenticate SAFE.

    Once the G Suite asset is onboarded to SAFE, to start the assessment first-time of the G Suite asset, you need to authenticate SAFE. Raise a Service Request to the SAFE support team to generate the authorization code using the authorization URL and provide it to the SAFE support team. This is a one-time process and once the assessment started the first time, SAFE re-assess the asset automatically.

    Was this article helpful?
    What's Next