Updated: July 24, 2020

Configure G-Suite for SSO

N-able recommends that you thoroughly review the Google G-Suite developer documentation before configuring SSO.

You will need to configure G-Suite for SSO before you configure N-able N-central.

  1. Create service account for importing users into N-able N-central.
    1. Open a browser and navigate to https://console.developers.google.com.
    2. In the upper left of the console page click IAM & admin and create a project.
    3. Click Service accounts.
    4. Click Create service account.
      1. In the Service account details screen, enter a Service account name, a Service account ID, and Service account description in the appropriate fields, then click Create.
      2. In the Service account permissions (optional) screen, select Owner from the Role drop-down list, then click Continue.

      3. In the Grant users access to this service account screen (optional), near the bottom, click Create Key.
        Select the JSON Key type.
        Click Create to immediately begin downloading the key locally.

      4. Once the JSON file has downloaded , close the dialog box and click Done in the Create Service Account screen.
    5. From the main Service accounts listing, locate your service account, click the three dots near the end of the row to open the actions menu, and select Edit.
    6. In the Service account details screen, click Show Domain-Wide Delegation to expand the section, and select the Enable G Suite Domain-wide Delegation checkbox.
      Click Save.

  2. Impersonate service account.
    1. Continuing from above, click IAM in the top left of the IAM & admin menu.
    2. Click Add (near the top of the page).
    3. Enter New members from any existing G-suite account.
    4. From the Role drop-down menu, select the appropriate Role to associate with the new member.

      You can add more than one Role for the new member.

    5. Click Save.
  3. Create a login ClientID and the N-able N-central allow list.
    1. Browse to https://console.developers.google.com.
    2. In the top left APIs & Services menu, click Credentials.
    3. In the Create credentials drop-down menu, select Oauth client ID.
    4. Select Web application.
    5. In the Authorized Javascript origins, enter the FQDN of the N-able N-central server, including either the http:// or https:// protocol.

      The simple IP address is not enough. You will not be able to connect to a N-able N-central server unless http:// or https:// is included in the FQDN.

    6. Click Create. You will see a confirmation pop-up message about the client ID created.
  4. Enable the Admin SDK API.
    1. Browse to https://console.developers.google.com.
    2. In the top left APIs & Services menu, click Library
    3. Search for "Admin SDK", and click on the result. The Admin SDK page displays.
    4. Click ENABLE.

  5. API client authorization

    Authorizing an API client allows the service account access to specific API services.

    1. Browse to admin.google.com.
    2. Navigate to Security in top left menu and click Settings.
    3. Scroll to the bottom of the page and click API access control.
    4. In the Domain wide delegation area, click Manage domain wide delegation.
    5. In the page that appears, click Add New in the API Client area.
    6. In the Client Name field enter the Service account Client ID.

      You can find the Service account Client ID either in JSON with the private key, or by going to console.developers.google.com, and navigating to APIs & Services > Credentials. The Client ID is listed under OAuth 2.0 client IDs.

    7. In the One or More API Scopes field, enter the following:
      • https://www.googleapis.com/auth/admin.directory.group.readonly, https://www.googleapis.com/auth/admin.directory.group.member.readonly, https://www.googleapis.com/auth/admin.directory.user.readonly

      • Shown here as three separate lines but should be entered as a single, continuous, comma-delimited string.

    8. Click Authorize.