# Google Use these instructions to set up Google as your SSO provider for Tonic Structural. To configure Google SSO: 1. [Create an OAuth 2.0 Client ID](#r20plh77lyu8) - Requires GCP project permissions to create credentials. 2. [Create and configure a service account to read user groups](#create_service_account) - In addition to the above, requires the Google workspace administrator. The OAuth client ID is sufficient to enable logging in with your Google account, but no groups are parsed. If the service account is misconfigured, the login succeeds without the groups being parsed, and a warning is logged to the server with more details. For the provided links, it is assumed that the user is logged into their administrative account and using the same project. ## Creating an OAuth 2.0 client id 1. Go to 2. Click **Create credentials**, located near the top. ![Create Credentials option for Google](https://3378426797-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LSQCLFQ4bslJ-HYc8c3%2Fuploads%2FYoN4bokOxvWbj7INt38W%2FGoogleCreateCredentials.png?alt=media\&token=47791367-f526-4066-9bae-aa0dd8527213) 3. Select **OAuth client ID**. ![Create OAuth Client ID panel](https://3378426797-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LSQCLFQ4bslJ-HYc8c3%2Fuploads%2FllCK8w8Wr5ZCN9jaVD9V%2FGoogleCreateOauthClientID.png?alt=media\&token=fda4615c-f8ad-4601-931a-d3f54af43d10) 4. Select **Web application** as the application type. 5. Choose a name. 6. Under **Authorized redirect URIs**, add the URL of the Structural server with the endpoint **/sso/callback**. * For example, a local Structural server at [http://localhost:3000](http://localhost:3000/) would need to be set as the redirect URI. * Also note that internal URLs might not work: ![Redirect URIs](https://3378426797-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LSQCLFQ4bslJ-HYc8c3%2Fuploads%2FrkdACR4tcFoY8OTIqI8Z%2FGoogleAuthorizeRedirectURLs.png?alt=media\&token=f9504b56-c054-4218-b699-62d0b671cabe) 7. Note the client ID and client secret. You will need to provide them to Structural. ![](https://3378426797-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LSQCLFQ4bslJ-HYc8c3%2Fuploads%2FaZxEvFOFly5l0ysQQJSv%2FGoogleOauthClientCreated.png?alt=media\&token=ddc3134c-b7db-4079-85f2-21e9dcf018d2) ## Providing the client information to Structural Configure the following [environment settings](https://docs.tonic.ai/app/admin/environment-variables-setting) in the Structural web server container: * `TONIC_SSO_CLIENT_ID`: \ * `TONIC_SSO_CLIENT_SECRET`: \ * `TONIC_SSO_PROVIDER`: `google` ## Create and configure a service account to read user groups To set up the service account: 1. [Create a service account with a json key](#create_service_account) 2. [Enable the Admin SDK API](#enable-the-admin-sdk-api) 3. [Add the Groups Reader admin role to the service account](#add-the-groups-reader-admin-role-to-the-service-account) 4. [Set variables in the Docker Compose file](#set-the-following-environment-variables-in-the-tonic_web_server-container) ### **Create a service account with a json key** For official documentation, go to and . 1. Go to 2. Click **Create service account**, located near the top. ![Create service account panel](https://3378426797-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LSQCLFQ4bslJ-HYc8c3%2Fuploads%2FuC756hA95H1yFkad45TN%2FGoogleCreateServiceAccount.png?alt=media\&token=23e88964-4f64-43f8-af0a-d7dc438ae7ce) 3. Skip all of the subsequent optional steps. 4. After you create the service account, select it, then click the **Keys** tab. ![Keys tab](https://3378426797-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LSQCLFQ4bslJ-HYc8c3%2Fuploads%2Fy1hUYbIGd8kBflcuSK9D%2FGoogleKeys.png?alt=media\&token=fcb42b54-6fb0-4ae9-831f-a658dc5a740f) 5. Select **Add Key -> Create new key**. Select JSON as the key type. The browser automatically downloads a JSON file. 6. The JSON file must be base64 encoded to set it as a variable in your Docker Compose file. An example command to do this is:\ \ `cat /path/to/json/file | base64 -w 0`\ \ The long output of this command is set as the value of `TONIC_SSO_SERVICE_ACCOUNT_JSON_BASE64` in the Docker Compose file. 7. Take note of the service account email. You will need this later. ### **Enable the Admin SDK API** 1. Go to 2. If it is not yet enabled, click **Enable**. ![Admin SDK API panel](https://3378426797-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LSQCLFQ4bslJ-HYc8c3%2Fuploads%2FPhPmSEjY3670q6nXl5X4%2FGoogleAdminSDKAPI.png?alt=media\&token=4a6c573a-78ba-4ebc-9ef1-8f395a4ab89d) ### **Add the Groups Reader admin role to the service account** 1. Go to [https://admin.google.com](https://admin.google.com/) and select **Admin Roles**. 2. Select **Groups Reader** from the list of predefined roles. 3. Click **Assign Roles -> Assign service accounts**. 4. Copy the service account email into the box, then click **Add**. 5. To save these changes, click **Assign Role**. ### **Providing the service account and group information to** Structural In the Structural web server container, set the following [Structural environment settings](https://docs.tonic.ai/app/admin/environment-variables-setting): * `TONIC_SSO_SERVICE_ACCOUNT_JSON_BASE64`: \ * `TONIC_SSO_DOMAIN`: \ - The domain name is the workspace domain. For example, for , the domain is `tonic.ai`. On a self-hosted instance, only users with this domain can log into Structural. * `TONIC_SSO_GROUP_FILTER_REGEX`: Identifies the allowed SSO groups for Structural. For details, go to [sso-limit-groups](https://docs.tonic.ai/app/admin/tonic-user-access/single-sign-on/sso-limit-groups "mention"). {% hint style="info" %} For Kubernetes, you can provide `TONIC_SSO_SERVICE_ACCOUNT_JSON_BASE64` through the `tonic-sso-google-account-service-json-secret` secret {% endhint %}