In order to successfully connect your Smoothwall to your G Suite domain, you must create a Service Account in the Google Developers Console.
Google Service Accounts grant access for that machine or appliance to Google. In the most basic of terms, the Service Account you create here is Smoothwall's passport. The Client ID (downloaded in readiness for authorizing the Service Account) is the passport number. Without these, the Smoothwall cannot "cross the boarder" into Google to access usernames, groups, and organizational units.
The account allows the Smoothwall to read your G Suite domain user and group information. The Service Account must be downloaded in a JSON format.
Note: Disclaimer: The following instructions are correct at the time of writing. Google feature names and links may change over time.
- Go to https://console.developers.google.com and log in as an admin user.
If it is the first time you log in as a new user you will be prompted to accept the Google terms and conditions.
- Create a new project (IAM & Admin > Projects > CREATE PROJECT). You cannot reuse an existing project if you have created any previously.
Note: If you have previously created projects under the logged in username, you may find the menu options are project_name > Create a project, where project_name is a previously created project.
- Enter a suitable Project Name, for example,
- Click Create.
The project name appears in the top left when it has been successfully created.
- Click the menu icon at the top left, and select IAM & Admin.
- Click Service accounts.
- Click CREATE SERVICE ACCOUNT.
- Configure the following:
- Service account name Enter an appropriate name for this service account.
- Role Do not select anything for Role.
- Service account ID This automatically filled in, based on the Project name and Service account name.
- Furnish a new private key Select this option.
Additional parameters are made available to you:
From Key type, select JSON.
- Enable G Suite Domain-wide delegation Select this option. Without this, the Client ID will not be generated.
- If a consent screen has not been configured previously, you are prompted to configure a Product name for the consent screen.
A consent screen is only displayed to users when Connect for Chromebooks verifies the user credentials with Google see How to Setup Google Verification with Connect for Chromebooks. Users must grant permission for their credentials to be checked with Google. Even though this is not needed when Connect for Chromebooks extension to trust the user-supplied G Suite domain credentials, you cannot leave this setting blank.
Connect for Chromebooks.
- Click Create.
The private key, in
JSON format, is downloaded to your computer. Keep this in a safe place as you cannot download it again from the Google console.
The newly created service account appears in the Service account page.
- Click View client ID on the far right for the newly created service account.
- Make a note of the Client ID. This is needed when you authorize the service account.
Client IDs are a string of numbers, for example,
You do not need to click Save at this point as no changes have been made.
- Click > API Manager > Library.
- From the Google Apps APIs list, click Admin SDK.
Tip: If the Admin SDK link is not immediately obvious, enter
Admin SDK into the search bar at the top of the section.
- Click Enable API.
What's Left To Do?
- How do I authorize the Google Service Account?
- Create a Google Directory connection on your and synchronize it with your G Suite domain
- Enable the Connect for Chromebooks service on your Smoothwall
- How do I allow Google services through my Smoothwall?
- How do I distribute the HTTPS certificate to all my Chromebooks?
- How do I roll out proxy settings to all my Chromebooks?
- How do I deploy the Connect for Chromebooks Extension to all devices?
- How do I filter my Google devices when external to the network?
- Troubleshooting Connect for Chromebooks
- Go back to How to Setup Google as a Directory with Connect for Chromebooks