Integrations Documentation

Configuring Google Workspace within the Google domain

You must register at least one domain (for example, myuniversity.com) with Google Workspace for Education. Google Workspace for Education has web services exposed, which can be used to manage users and get data.

This is the paper note and pencil icon used for notes.

Note: Google Workspace 1.3 does not support @gmail.com addresses at this time. It requires the use of a Business or Educational Google Workspace domain.

Register domains with Google Workspace

The Google Workspace integration supports multiple domains. For example, by organizing a Google Workspace environment into sub-domains, schools within an organization can continue to use their own domain names for their email and logins. To add multiple domains, D2L recommends managing them with a single Google Workspace account.

Each domain must be registered with Google Workspace before you add them to Brightspace.

Add domains to Brightspace

When you add a domain, Brightspace verifies that the service account credentials provided have access to that domain. If the service account has not been set up or validation of the service account fails, you are prompted to enter or resolve your service account information.

From the Admin Tools menu, or in the Organization Related section of the Admin Tools widget, click the Google Workspace Administration link.
Click Manage Domains.
Click Add Domain and enter the domain name, for example, myuniversity.com.
Click Save. The new domain is added to the domain list.

To configure existing domains, select a domain from the domain list and choose an option: Remove Domain, Edit Domain, or Set as Default.

Set up an API project and service account for OAuth 2.0

To use OAuth 2.0 with the Google Workspace integration, you must set up the following:

An API project: Google Workspace requires the configuration of an API project in order to leverage functionality and additional security.
A service account: By using a service account's credentials, Brightspace can make authorized calls to Google APIs on behalf of users to perform authentication and authorization. This mechanism improves the security of the Google Workspace integration.

Step 1: Create an API project

These steps are for creating a new API Project. If you have an existing project that you want to use, skip this section.

Browse to the Google Developers Console and log in with your Google administrator credentials.
For information on how to create a project, refer to Create, shut down, and restore projects in the API Console Help.
Enable the Drive API, Calendar API, Gmail API, and Admin SDK. For information on enabling APIs, refer to Enable and disable APIs in the API Console Help.

Step 2: Configure the authorization end point to work with your API project

In order for auto-authorization to work, you need to create a new Web Application client ID. This allows users to automatically authenticate their Google Workspace for Education account without needing any secondary intervention on the administrator's part. This is the standard configuration for Google Workspace.

Ensure your API project is open in the Google Developers Console.
If the APIs & services page isn't already open, navigate to the console left side menu and select APIs & services. Click Credentials, click Create Credentials, and then select OAuth client ID.

Note: You might be asked to configure your Google consent screen. Users might see this when initially configuring the connection between their Google accounts and Brightspace. Refer to the User consent section in Setting up OAuth 2.0 and configure the consent screen as needed.
For the Application type, select the Web application option.
Enter a name for your web application.
In the field for authorized JavaScript origins, enter your D2L domain.
In the field for authorized redirect URLs, change the end point to [D2L Domain]/d2l/im/gapps/pages/auth/Signin.
Create the client ID.
Make note of the following values:
- client ID
- client secret
In Brightspace, on the Google Workspace Administration page, click Settings.
Under Google Client IDs, add the Client ID and Client Secret values.

Step 3: Set up the app to be Trusted by your Google Workspace

Browse to your Google Admin console and sign in to your account.
Navigate to Security > API controls.
Under App access, select Manage Third-Party App Access.
Click Add App, and choose OAuth App Name or Client ID.
Enter the app's ClientID as noted above, and then click Search.
From the list of search results, click Select for the app that you want to manage.
Select the check boxes for the client IDs that you want to configure, and then click Select.
Pick the org units where you want to use Google Workspace in Brightspace and click Continue.
Select Trusted: App can request access to all Google data and click Continue.
Click Finish.

On the apps page, the Access column displays the access status for the app as Trusted for the org units selected.

Step 4: If you did not select the No Service account option from the Workspace Access area, configure the service account

To use the Admin SDK to perform administrator tasks, you need to configure a service account. The service account allows you to securely create, link, and deactivate users with the Google Workspace integration.

Ensure your API project is open in the Google Developers Console.
For information on how to configure a service account, see the Service accounts section in Setting up OAuth 2.0 in the API Console Help. For additional information, refer to Using OAuth 2.0 for Server to Server Applications and Service accounts in the Google Identity Platform.
To easily identify your service account for the Brightspace web application, create a new service account.
- D2L recommends that you enter a service account name that is the same as the web application name.
- D2L recommends that you choose the Project Owner role.
Choose to generate the key as a standard P12 file and save it to your local drive.
Create the service account key.
Make note of your private key's password and close the dialog box.
In the Google Developers Console, click the link to take you to the area where you can manage your service accounts.
Click on the edit icon for your service account and navigate to the Manage details tab.
Under Advanced settings and Domain-wide Delegation, copy your Client ID and click on View Google Workspace Admin Console. Then, log in to your Google Workspace administrator account and ensure that domain-wide delegation is enabled for your service account. For additional information, refer to Delegating domain-wide authority to the service account.
For the service account you created, click the link to view the service account details:

Service account (email address), which is entered on the Google Workspace Service Account page in Brightspace, in the Service account email field.

Unique ID/Client ID, which is entered into the domain security settings for the API scopes access.

Step 5: Allow the service account to access your Google Domain

For the service account to perform user actions against your domain, you must grant it access.

Browse to https://admin.google.com and log in with your Google Workspace administrator account.
For information on how to allow the service account to access your Google Domain, refer to Control API access with domain-wide delegation in the Google Workspace Administrator Help. Go to Security > Access & data control > API Controls and then in the Domain wide delegation section select Manage Domain Wide Delegation.
Click Add new and in the Client Name field, enter your service account Unique ID/Client ID. Your Unique ID/Client ID is from the Service Account Client where you generated the P12 key.
Before changing Read-only Access to Google Directory API, review your organization policy.
Do one of the following:
- If you have enabled Read-only access to Google Directory API in Google Workspace Administration settings, then add the following API scopes to the One or More API Scopes field as a comma-separated list:
  
  https://www.googleapis.com/auth/admin.directory.user.readonly, https://apps-apis.google.com/a/feeds/domain/, https://www.googleapis.com/auth/gmail.readonly, https://www.googleapis.com/auth/calendar.readonly, https://www.googleapis.com/auth/drive.readonly
  
  Note: The Scope for only retrieving users or user aliases (view-only) is: https://www.googleapis.com/auth/admin.directory.user.readonly.
- If you have not enabled Read-only access to Google Directory API in Google Workspace Administration settings, then add the following API scopes to the One or More API Scopes field as a comma-separated list:
  
  https://apps-apis.google.com/a/feeds/domain/, https://www.googleapis.com/auth/admin.directory.user,
  https://www.googleapis.com/auth/gmail.readonly, https://www.googleapis.com/auth/calendar.readonly, https://www.googleapis.com/auth/drive.readonly
  
  Note: The Global scope for access to all user and user alias operations (view and manage) is: https://www.googleapis.com/auth/admin.directory.user
Click Authorize.

Step 6: Configure a service account in Brightspace

From the Admin Tools, or in the Organization Related section of the Admin Tools widget, click the Google Workspace Administration link.
Click Service Account.
Enter your Google Workspace domain administrator's login name.
Enter your Service account email.
Enter your P12 Password.
In Upload P12 Key File, click Choose file and attach the P12 file you saved to your local computer.
Click Save.

For more information, refer to Control which third-party & internal apps access Google Workspace data.