Overview

MangoApps seamlessly integrates with Google Enterprise through OAUTH 2.0 provisioning. This integration empowers organizations using MangoApps with automated user provisioning and lifecycle management, ensuring a streamlined and efficient process.

This technical guide provides comprehensive insights into the integration capabilities of MangoApps with Google Enterprise accounts using OAUTH 2.0.

MangoApps Setup

Google Console URL: https://console.cloud.google.com/apis/

From your MangoApps Admin Portal, navigate to the SSO settings. Within this menu, click the OAUTH2.0 tab then select the Add SSO Connection button in the top right hand corner.

This will bring up the New SSO Connection (OAuth 2.0) wizard menu.

Populate the following fields accordingly:

Select an external identity provider to use for SSO: Choose Google Apps from the dropdown menu.

Name: Name the SSO Connection per your preference.

JIT User provisioning: (Optional but recommended) When this feature is enabled, upon successful SSO authentication, MangoApps will automatically generate new user profiles and provide automated activation for users within the MangoApps domain. When this feature is disabled, MangoApps will not automatically create user profiles for individuals who do not already exist within the MangoApps domain. Moreover, if a user is in a suspended state within the MangoApps domain, MangoApps will not activate their profile.

Remember User: When enabled, the system retains the user's session, allowing for automatic login to the domain during subsequent visits, unless the user explicitly logs out.

Authorization for read & write: Enable this option to allow MangoApps to obtain consent for the permissions necessary for seamless integration with G Suite. Users will be prompted to grant access for reading user profiles, emails, calendars, and Google Drive, ensuring smooth functionality across all integrations.

After logout go to page: (Optional) The URL to which the user will be redirected on logging out from the domain.

Use Enterprise Credentials: Enable this setting if you would like MangoApps to use the credentials of the App your company has registered in GoogleApps. Enable this if you're a MangoApps private cloud or on-premise customer only. If you’re a shared cloud customer please keep this setting disabled as MangoApps will automatically handle the app registration.

Once the configuration is to your preference, the MangoApps side is complete for now.

Google Workspace Setup

Switch to your Google console using the following Google Console URL: https://console.cloud.google.com/apis/

From this page, click on the Credentials option along the left hand navigation menu. From the credentials page, click + Create Credentials along the top navigation menu. From the dropdown menu, select OAuth client ID.

This action will open the Create OAuth client ID configuration menu. Within this menu, select Web Application from the Application type dropdown menu. Then name the application to your preference. This name will not be shown to end users.

Next, add the Authorized JavaScript origins and your redirect URIs.

The origins URI will be your MangoApps domain, example: https://abc.mangoapps.com

Your Authorized redirect URI will be your MangoApps domain URL with the addition of "/oauth2/complete". Example: https://abc.mangoapps.com/oauth2/complete

Once these fields are complete, Save the configuration.

With the OAuth Client created, the client ID and Client Secret code will be generated in the system. Click your newly created Credential to view this information. From this pop-up, Download the JSON for use in the MangoApps Admin Portal.

We have completed setup within Google Workspace.

MangoApps Setup Continued

Navigate back to the MangoApps SSO settings in the admin portal. In the New SSO Connection pop-up menu for the integration initiated earlier in this guide, input the following details into the Configure Manually text fields. If you cannot locate these fields, expand the Configure Manually menu by clicking the downward arrow.

Enter the Client ID and Client Secret ID, from the Google Workspace Credential we setup in the above steps, into the 1st and 2nd text fields.

Enter your Network Admin’s email address into the Client Email ID field.

From the downloaded JSON file:

Copy the auth_provider_x509_cert_url from the JSON file and paste it into the Client X509 Cert URL and Auth Provider X509 Cert URL fields in MangoApps.

Copy the redirect_uris from the JSON file and paste it into Authorized Redirect URL in MangoApps

Copy the javascript_origins from the JSON file and paste it into the Authorized JavaScript Origins field.

Enter the Site as https://accounts.google.com

Copy the auth_uri from the JSON file and paste it into the Auth URL field in MangoApps.

Copy the token_uri from JSON and paste it into the Token URL field in the MangoApps.

Finally, Save the configuration.

Congratulations! You have completed the integration.

Testing Considerations

To test the connection, log out from your MangoApps domain and try logging in again using the associated Google account.

Security Considerations

• Utilize distinct projects for both testing and production environments to prevent data mishandling.

• Maintain a comprehensive list of pertinent contacts to ensure effective communication and response to security incidents.

• Always represent your identity accurately to maintain transparency and accountability.

• Request only the scopes necessary for your application's functionality to minimize potential vulnerabilities.

• For production applications employing sensitive or restricted scopes, undergo verification to uphold security standards.

• Additionally, limit usage to official domains owned by your organization to mitigate risks associated with unauthorized access.

End User Experience

When attempting to log in to the domain, users have the option to directly access their accounts using their Google Apps credentials. This streamlined process simplifies password management, eliminating the need for end users to memorize multiple sets of credentials.

Rollout Recommendations

Access Control

Implement granular access controls to regulate which users and applications can authenticate via OAuth. Utilize Google's Identity and Access Management (IAM) to manage permissions effectively.

Audit Logging

Enable audit logging to monitor OAuth activity and detect any unauthorized access attempts or suspicious behavior. Regularly review audit logs to ensure compliance and security.

Scopes Management

Only request OAuth scopes that are necessary for the intended functionality of your applications. Minimize the scope of access granted to reduce potential security risks.

Security Verification

If your applications require access to sensitive or restricted scopes, undergo Google's security verification process. This ensures that your apps meet Google's security standards and enhances user trust.

Continuous Monitoring

Continuously monitor your OAuth integration for any anomalies or security vulnerabilities. Stay informed about updates and changes to Google's OAuth policies and adjust your implementation accordingly.

User Education

Educate end-users about OAuth and how to recognize legitimate authorization requests. Encourage them to only authorize applications from trusted sources and to report any suspicious activity promptly.

Regular Reviews

Conduct regular reviews of your OAuth implementation to assess its effectiveness, identify areas for improvement, and address any emerging security concerns.