Google Apps for Education
The integration allows users to create and edit Google Docs through a Webfiles Component within Frog. Users can also use the Google Widgets to view their Google Calendar or Google Mail within Frog. For more information and videos covering this, please follow this link
Please note these widgets can only show data for accounts using the integration. They cannot be configured to point to individual or personal accounts that are not configured for use with Frog.
Before you start
Before integration can be set up there are two very important things that you will need.
- A Google Apps for Education account. This account must be set up and verified.
- A Google Apps administrator account with access to the Provisional API to allow Frog to create new users.
Configuring the Frog Server
Several roles will need to be enabled under Toolkit > Admin > Roles before the integration can be set up.
The below roles need to be enabled for the Administrator Login Profile.
- Google HTTP API
- All Google Roles
Any Login Profiles that you wish to use Google Apps for Education Integration need to have the below role enabled:
- All Google Roles
The Administrator then needs to navigate to: Toolkit > Admin > Server Configuration > SSL
Select "Create a new X.509 certificate" and fill in the below fields.
- Country Code: UK (If you are an international school you may have to look up the correct country code).
- County Name: **** (Whichever county your school is in - if you are an international school this may be the district)
- Town Name: **** (See above)
- Organization Name: **** (School name)
The Administrator then needs to navigate to: Toolkit > Tools > Config > Google Apps
The details of the Google Admin account need to be entered here.
Remember to use the full Google Admin name including the domain.
At this time you will not be able to populate two fields:
- OAuth consumer key
- OAuth consumer secret
These fields will be populated later after we configure the Google Apps Admin account.
Configuring the Google Apps Account
The following options need to be ticked or selected in the Google Admin panel.
This is accessed https://www.google.com/a/cpanel/**insertschooldomainhere**/Dashboard
The Google Apps admin account should not have the same username as any Frog account that needs to access Google Docs or you will get a Google Error as Frog tries to create a user account with the same name as the admin account. If it does, we recommend that the username is changed within Frog as Google can take 5 days to change a username. Alternatively you can use the Import Google Users function to add in the username to the Frog account.
Google have recently introduced a new admin layout and this option is enabled in a slightly different way depending on which console you are using.
In the New Google Admin console select:
Security - API Reference - Enable API Access (check)
In the Classic Google Admin console select:
Domain Settings - User Settings - Enable Provisioning API (check)
Single Sign On
Again, the location of these settings has changed in the new Google Admin console. The settings and steps to be followed are identical in both views, the route to get to them is the only change.
Security - Advanced Settings - Set Up Single Sign On (SSO):
Advanced Tools - Set Up Single Sign On
On this page the first thing you will need to do is upload the X.509 Ceritifcate from Frog as a .txt file. This needs to be done first because the certificate upload wipes all other settings on the page.
Once this has been done fill out the following fields:
- Enable Single Sign On (check)
- Sign in page URL – copy from/to the Frog Toolkit(Ensure that the external address for the Frog Server is used).
- Sign out page URL – copy from/to the Frog Toolkit(Ensure that the external address for the Frog Server is used).
- Change Password URL – copy from/to the Frog Toolkit(Ensure that the external address for the Frog Server is used).
These settings will need to be identical in both Frog and Google. We would normally recommend that domain is used.
|IMPORTANT If you are using an internal DNS rule to access the Frog Server inside school this will automatically populate the Sign In Page URLs within the Toolkit as Frog will utilise whatever address you have used in your browser. When you copy this information into Google you will need to change this to use your external domain or users will not be able to access their Google Docs externally We recommend setting an internal DNS rule that is cosmetically the same as your external domain but will redirect users to the internal I.P of the Frog server within school. If you are concerned or have any questions about your current set up please contact Frog Technical Support on 01422 395939 or by email at firstname.lastname@example.org.|
- Use a Domain Specific Issuer (check)
Set Up OAuth
Advanced Tools - Manage OAuth Domain Key
- Enable this Consumer Key (check)
- OAuth consumer key – copy and put into the Frog Toolkit (to generate the secret put in the key then select button)
- OAuth consumer secret – copy and put in the Frog Toolkit
- Two legged OAuth access – Allow access to all API (check)
Note: You do not need to upload a certificate in this area.
Creating a user
Once Google Apps for Education SSO is enabled, a new account for a user will be created automatically when they log into Frog and create a new Google document. This action sends the request to Google for the new account.
Linking to an existing Google account
When a user account does not exist at Google for your establishment, the default behaviour is for Frog to submit a request to Google who create the account - this is typically done when a request to create a document is passed across as above. However, if a Google account already exists, it's possible to link an existing Google account to a Frog account by a CSV import, as below. Please remember ONLY Google Apps for Education accounts are supported:
The CSV file MUST contain three columns and three columns only. These columns must be as follows:
These column headers are case sensitive.
“user_id” is the Unique ID of the user on the Frog server. This is specified so that the Frog server knows which user to link to a Google username.
“username” is the users Google username. This should not include the domain.
Joe.bloggs is a valid entry.
Joe.email@example.com is an invalid entry.
“action” determines what we will do with the data. Valid action entries:
A – Add/Update a Google account link.
D – Delete a Google account link. This will only affect the users link to Google through Frog and WILL NOT delete the Google account. These are the only valid action options.
Logging in with an existing Google account
At the current time, there is no provision within the Frog code for Google to be able to direct a user to a Frog authentication page if they attempt to log in directly through Google.
This means that when the user logs in directly to Google, Google will attempt to authenticate the user with Frog. If the user is logged into Frog in another window in the same browser session Google will be able to authenticate the user and sign them in. If the user is not logged into Frog in the same browsing session there will be no cached credentials for Google to use and so they will not be able to sign in.
Using the Google Drive Desktop app or Google Drive iPad app
Unfortunately, Google Drive Desktop and the Google Drive iPad app do not support the SAML SSO tool we utilise for our Google integration and therefore can not be used as an integration piece.
Frog will follow the progress of the Drive application and bring into our product line when support is enabled.
Wrong type of Google account is being used
To make use of GAfE SSO, you must have a Google Apps for Education account. If you have a demo account or a business account you will encounter issues. The Google Apps for Education account needs to be validated and fully set up before we begin integration. This is outlined in the set-up guide.
Incorrect details are entered into Frog
You must enter the full admin username INCLUDING domain under Tools > Config. This is outlined in the set-up guide.
Incorrect details are entered into Google
The single sign on URLS must use the external address to your Frog server. If you are setting this up internally and are using an internal DNS rule, Frog will automatically show the single sign on URLS using this rule. You will need to change this when the settings are copied to Google or the integration will not work. This is outlined in the set-up guide.
Proxy / ISA firewall settings
You may be prevented from opening a new Google document due to proxy restrictions. Ensure the Frog server can connect to docs.google.com through your school proxy. You will need to ensure that the proxy is using basic authentication pass-through.
Certain schools have found that their ISA or Microsoft TMG has been set to block high-bit characters and that clearing this setting allows users to access Google Apps correctly. Please note that any changes to your network settings should not be taken without further research to ensure you are completely happy with the change being made. Frog Technical Support cannot be responsible for any adverse affects that are created as a result of any changes made to this setting. Some further information on this setting for TMG can be found here: http://technet.microsoft.com/en-us/library/cc995081.aspx
Frog server time
If the Frog server time is ahead of Google's time then Google receives the sign in request in the future and cannot sign the user in. It is also worth checking the machine time on the workstation you are using to ensure this is also correct and receiving time settings from a valid NTP server.
A .php file downloads when you try to open a Google doc
You will need to double-check all settings. Open Tools > Config and select Save to try and refresh the configuration. If this does not resolve the issue, please contact Frog support on 01422 3959389 as your config files may not be automatically refreshing themselves and we will be able to look into this further for you.
How to test sections of Google Apps Integration
To test OAuth: is it possible to create a document as a user? (go to a Web files component and select New > Google)
To test SSO: can you open a document and does Google log you in?
To test the Provisional API: Can you create a user? (the ability to create a document for the first time confirms you can create a new user)