Single Sign-On (SSO) in collaboration with Google Workspace
With Pluvo, you can easily set up Single Sign-On (SSO) for your academy. In this article, we explain how you can retrieve the data in Google Workspace.
Once you have this information, you can easily implement Single Sign-On (SSO) in Pluvo. You can find more information about this in this article.
Note: For the following steps, you need to have an administrator account in Google Workspace and a Company subscription in Pluvo.
Let's start by creating an OAuth client ID:
Go to https://console.cloud.google.com/apis/credentials and choose +Create credentials for OAuth Client-ID.
Then select Web Application:
In the next step, you need to give a name to the client-ID. Choose a clear name, for example: 'Webclient Pluvo academy' so that you'll remember later what this client-ID is used for.
Then copy the “filled in” parameters from Pluvo to Google Workspace.
(You can find these parameters in Administration > Settings under 'SSO & LTI').
For Example:
Authorized JavaScript sources: https:// yoursubdomain. pluvo.com/
Authorized redirect URIs: https:// yoursubdomain. pluvo.com/oidc/callback/
In this screen, you can fill in the following fields:
After saving this, a pop-up will appear with your client-ID and secret key.
Note: Make sure to make a copy, as you'll need the client ID and client secret data later for the Pluvo SSO settings.
The next step is to create a consent screen in Google Workspace so that users can agree to the SSO login.
Go to [https://console.cloud.google.com/apis/credentials/consent] and fill in the following details:
Type: Internal
App Name: [Provide a clear name]
App Logo: [Choose an image]
Email: [Person responsible for supporting users]
Google API Scope: email, profile, openID, https://www.googleapis.com/auth/admin.directory.group.readonly**
Only add the https://www.googleapis.com/auth/admin.directory.readonly scope if you want to receive group information
Authorized Domains: pluvo.co
Links: [You can leave these blank]
Then save it, and you're done with the adjustments in your Google Cloud Platform.
If you entered the scope https://www.googleapis.com/auth/admin.directory.group.readonly in the previous step, we need to also arrange access in the Google Admin of your workspace
Go to <https://admin.google.com/ac/owl/list?tab=apps> and configure a new app. You provide the OAuth Client ID, then you'll see your App there. Choose this app and select it. Then grant access to all services.
Done! Now your users can log in and will automatically be added to a group they are in Workspace. This way, you can directly offer users the relevant learning paths.
Note: Only proceed to step 3 after completing step 2. We retrieve all groups from your Workspace right after step 3, and we need the correct permissions for that.
You now have all the necessary information to fill in Pluvo. You can find these fields in the academy under Administration > Settings under 'SSO & LTI'.
OAuth Client id = ..... [You obtained this above with the OAuth client ID]
OAuth Client secret = ....... [You obtained this above with the OAuth client ID]
The following fields are always the same for Google Workspace:
Authorization endpoint: https://accounts.google.com/o/oauth2/v2/auth
Token endpoint: https://oauth2.googleapis.com/token
User endpoint: https://openidconnect.googleapis.com/v1/userinfo
Scope = openid email
Oidc sign algo = RS256
Oidc op jwks endpoint: https://www.googleapis.com/oauth2/v3/certs
If you want to send group information and automatically add users to the same groups in Pluvo as in Workspace, then enter the following link in the scope, after "openid email" (this is the same scope as in the OAuth Consent Screen: https://www.googleapis.com/auth/admin.directory.group.readonly
Simply fill in the required fields, click "Save," and switch the slider to "Active".
Afterward, your users can seamlessly log in via SSO!
Once you have this information, you can easily implement Single Sign-On (SSO) in Pluvo. You can find more information about this in this article.
Note: For the following steps, you need to have an administrator account in Google Workspace and a Company subscription in Pluvo.
Step 1: Settings in Google Cloud Platform
Let's start by creating an OAuth client ID:
OAuth 2.0 client
Go to https://console.cloud.google.com/apis/credentials and choose +Create credentials for OAuth Client-ID.
Then select Web Application:
In the next step, you need to give a name to the client-ID. Choose a clear name, for example: 'Webclient Pluvo academy' so that you'll remember later what this client-ID is used for.
Then copy the “filled in” parameters from Pluvo to Google Workspace.
(You can find these parameters in Administration > Settings under 'SSO & LTI').
For Example:
Authorized JavaScript sources: https:// yoursubdomain. pluvo.com/
Authorized redirect URIs: https:// yoursubdomain. pluvo.com/oidc/callback/
In this screen, you can fill in the following fields:
After saving this, a pop-up will appear with your client-ID and secret key.
Note: Make sure to make a copy, as you'll need the client ID and client secret data later for the Pluvo SSO settings.
OAuth Consent Screen
The next step is to create a consent screen in Google Workspace so that users can agree to the SSO login.
Go to [https://console.cloud.google.com/apis/credentials/consent] and fill in the following details:
Type: Internal
App Name: [Provide a clear name]
App Logo: [Choose an image]
Email: [Person responsible for supporting users]
Google API Scope: email, profile, openID, https://www.googleapis.com/auth/admin.directory.group.readonly**
Only add the https://www.googleapis.com/auth/admin.directory.readonly scope if you want to receive group information
Authorized Domains: pluvo.co
Links: [You can leave these blank]
Then save it, and you're done with the adjustments in your Google Cloud Platform.
Step 2: Settings in Google Workspace if you want to pass group information to Pluvo
If you entered the scope https://www.googleapis.com/auth/admin.directory.group.readonly in the previous step, we need to also arrange access in the Google Admin of your workspace
Set Up App Access Control
Go to <https://admin.google.com/ac/owl/list?tab=apps> and configure a new app. You provide the OAuth Client ID, then you'll see your App there. Choose this app and select it. Then grant access to all services.
Done! Now your users can log in and will automatically be added to a group they are in Workspace. This way, you can directly offer users the relevant learning paths.
Note: Only proceed to step 3 after completing step 2. We retrieve all groups from your Workspace right after step 3, and we need the correct permissions for that.
Step 3: Pluvo SSO Settings
You now have all the necessary information to fill in Pluvo. You can find these fields in the academy under Administration > Settings under 'SSO & LTI'.
OAuth Client id = ..... [You obtained this above with the OAuth client ID]
OAuth Client secret = ....... [You obtained this above with the OAuth client ID]
The following fields are always the same for Google Workspace:
Authorization endpoint: https://accounts.google.com/o/oauth2/v2/auth
Token endpoint: https://oauth2.googleapis.com/token
User endpoint: https://openidconnect.googleapis.com/v1/userinfo
Scope = openid email
Oidc sign algo = RS256
Oidc op jwks endpoint: https://www.googleapis.com/oauth2/v3/certs
If you want to send group information and automatically add users to the same groups in Pluvo as in Workspace, then enter the following link in the scope, after "openid email" (this is the same scope as in the OAuth Consent Screen: https://www.googleapis.com/auth/admin.directory.group.readonly
Simply fill in the required fields, click "Save," and switch the slider to "Active".
Afterward, your users can seamlessly log in via SSO!
Updated on: 02/07/2024
Thank you!