Articles on: Single Sign-on

Single Sign-On (SSO) in collaboration with Google Workspace

With Pluvo, you can easily set up Single Sign-On (SSO) for your academy. In this article, we explain how you can retrieve the data in Google Workspace.

Once you have this information, you can easily implement Single Sign-On (SSO) in Pluvo. You can find more information about this in this article.

Note: For the following steps, you need to have an administrator account in Google Workspace and a Company subscription in Pluvo.

Step 1: Settings in Google Cloud Platform



Let's start by creating an OAuth client ID:

OAuth 2.0 client



Go to https://console.cloud.google.com/apis/credentials and choose +Create credentials for OAuth Client-ID.

OAuth Client-ID

Then select Web Application:

Web Application

In the next step, you need to give a name to the client-ID. Choose a clear name, for example: 'Webclient Pluvo academy' so that you'll remember later what this client-ID is used for.

Then copy the “filled in” parameters from Pluvo to Google Workspace.
(You can find these parameters in Administration > Settings under 'SSO & LTI').

For Example:
Authorized JavaScript sources: https:// yoursubdomain. pluvo.com/
Authorized redirect URIs: https:// yoursubdomain. pluvo.com/oidc/callback/

Parameters

In this screen, you can fill in the following fields:

Fields

After saving this, a pop-up will appear with your client-ID and secret key.

Note: Make sure to make a copy, as you'll need the client ID and client secret data later for the Pluvo SSO settings.

Client ID and Secret

OAuth Consent Screen



The next step is to create a consent screen in Google Workspace so that users can agree to the SSO login.

Go to [https://console.cloud.google.com/apis/credentials/consent] and fill in the following details:

Type: Internal
App Name: [Provide a clear name]
App Logo: [Choose an image]
Email: [Person responsible for supporting users]
Google API Scope: email, profile, openID, https://www.googleapis.com/auth/admin.directory.group.readonly**

Only add the https://www.googleapis.com/auth/admin.directory.readonly scope if you want to receive group information

Authorized Domains: pluvo.co
Links: [You can leave these blank]

Then save it, and you're done with the adjustments in your Google Cloud Platform.

Step 2: Settings in Google Workspace if you want to pass group information to Pluvo



If you entered the scope https://www.googleapis.com/auth/admin.directory.group.readonly in the previous step, we need to also arrange access in the Google Admin of your workspace

Set Up App Access Control



Go to <https://admin.google.com/ac/owl/list?tab=apps> and configure a new app. You provide the OAuth Client ID, then you'll see your App there. Choose this app and select it. Then grant access to all services.

App Access Control

Done! Now your users can log in and will automatically be added to a group they are in Workspace. This way, you can directly offer users the relevant learning paths.

Note: Only proceed to step 3 after completing step 2. We retrieve all groups from your Workspace right after step 3, and we need the correct permissions for that.

Step 3: Pluvo SSO Settings



You now have all the necessary information to fill in Pluvo. You can find these fields in the academy under Administration > Settings under 'SSO & LTI'.

OAuth Client id = ..... [You obtained this above with the OAuth client ID]
OAuth Client secret = ....... [You obtained this above with the OAuth client ID]

The following fields are always the same for Google Workspace:

Authorization endpoint: https://accounts.google.com/o/oauth2/v2/auth
Token endpoint: https://oauth2.googleapis.com/token
User endpoint: https://openidconnect.googleapis.com/v1/userinfo
Scope = openid email
Oidc sign algo = RS256
Oidc op jwks endpoint: https://www.googleapis.com/oauth2/v3/certs

If you want to send group information and automatically add users to the same groups in Pluvo as in Workspace, then enter the following link in the scope, after "openid email" (this is the same scope as in the OAuth Consent Screen: https://www.googleapis.com/auth/admin.directory.group.readonly



Simply fill in the required fields, click "Save," and switch the slider to "Active".
Afterward, your users can seamlessly log in via SSO!

Updated on: 02/07/2024

Was this article helpful?

Share your feedback

Cancel

Thank you!