Requirements

  • An account in GCP
  • API_URL is the public DNS name of the hoop gateway instance
Contact the administrator of the hoop gateway instance to retrieve the API_URL address.

Identity Provider Configuration

1

Create an Application

Login with your account at https://console.cloud.google.com/apis/credentials
  • Go to Credentials > Create Credentials button > OAuth Client ID
  • In Application type, select Web Application
  • Give it a name (i.e. “Hoop”)
2

Configure the Redirect URIs

  • Click Authorized redirect URIs and add the URL: {API_URL}/api/callback
  • Click Create button
  • Take note on the ClientID and Client Secret
3

Collect the Credentials

When you created the app, you got those. But they are also available in the JSON file that was downloaded by the creation time. The download is also available at:
  • Credentials > OAuth 2.0 Client IDs > Actions > Download
4

Collect Issuer Information

The Issuer URI is https://accounts.google.com

Configuring Groups

Groups are synchronized by performing a request to the Cloud Identity API as a best effort operation.
This feature is available in version 1.35.2 and later.
1

Add the Scope

Configure the gateway with the env IDP_CUSTOM_SCOPES
  • https://www.googleapis.com/auth/cloud-identity.groups.readonly
Users will need to provide consent for the following access permissions when first logging in to enable proper group synchronization.
Restart the gateway after applying these changes.
2

Enable the Cloud Identity API in your project

When configuring group synchronization, admin access may be revoked upon your next sign-in. To maintain administrative privileges, set the ADMIN_USERNAME configuration parameter to a Google Workspace group that you want to map as admin on Hoop.