Option 1: Google User Provisioning
Overview
Google User Provisioning allows Discovery Education to pull user data from Google OUs/Groups to create and maintain user accounts within Discovery Education. In order to pull user data from Google, Discovery Education must be given permission to access the API endpoints for your Google OUs/Groups. A Google Super Admin with access to all domains needed for provisioning both staff and student accounts is required. Please also review the OU/Group structure required for a successful mapping.
Requirements
- Google OUs or Groups must be organized by School and by Role (teacher and student).
- Discovery Education must be given permission to access the API endpoints for your Google OUs/Groups.
- A Google Super Admin with access to all domains needed for provisioning both staff and student accounts is required.
Confirm Google OU/Group structure is compatible
In order for Google User Provisioning to work, Google OUs or Groups must be organized by School and by Role (staff and student) to be mapped to the corresponding Schools and Roles within Discovery Education. We recommend having an Organization-oriented OU structure as defined by Google, although many OU structures may work.
Example of Google’s Organization-oriented OU structure:
Example that will not work because OUs are not split out by School:
Example that will not work because OUs are not split out by Role:
Example that will work because OUs are divided by School and Role, as well as by grade for students:
Example that will work because OUs are divided by School and Role:
Set Up a New Project
A project is needed to create a service account. This will be used to authorize Discovery Education to access Google APIs on your behalf to retrieve user data for importation into Discovery Education.
Create a Project
- Go to https://console.developers.google.com/iam-admin/projects
- Select Create Project.
- Enter Project name: DiscoveryEducation
- Select Create.
Enable Google Admin SDK
Google Admin SDK allows Discovery Education access to the API URLs for user data.
Turn on the Admin SDK setting
- In the APIs search box, type Admin SDK then click on Admin SDK.
- Select Enable, if it is not already enabled.
- Please note: Creating Credentials is not needed for this API.
Set Up a New Service Account
A service account is needed to authorize Discovery Education to access Google APIs on your behalf to retrieve user data for importation into Discovery Education.
To create a new account:
1. Go to https://console.developers.google.com/projectselector/iam-admin/serviceaccounts
2. Click Select Project.
3. Select Discovery Education project from the menu.
4. Click Create Service Account
5. Enter Discovery Education in the Service account name field.
6. Click Create and Continue.
7. Click Select a Role from the dropdown menu. Select Basic. Select Viewer.
8. Click Continue.
9. Click Done.
10. Mark check box to the left of the service account name.
11. Under Actions, click the three dots and choose Manage keys.
12. Click Add Key.
13. Click Create New Key.
14. Choose key type JSON and click Create.
A .json file should have been created and downloaded to your machine. The file name should start with the project name Discovery Education. Please remember where it is saved, it will be needed in the next step.
Authorize the Service Account
After a Service Account has been set up, it needs to be authorized to access user data.
Send us your Service Account
- Log in as your Discovery Education Account Admin username.
- Navigate to the Google User Provisioning setup page at admin.discoveryeducation.com/integrations/google/#/setup/upload-service-account
- Enter a Google Administrator email address.
- Upload the .json file that was downloaded to your computer when creating the Service Account.
- Click Send.
- Click Continue.
- Within the Google Admin console, go to Security.
- Click API Controls.
- Under Domain wide delegation, click Manage Domain Wide Delegation.
- Click Add new. A pop-up box will appear with the title Add a new client ID.
- From the Discovery Education page, copy the Client Name. Under the “Add a new client ID” box in the Google admin console, paste the Client Name into the Client ID field.
- From the Discovery Education page, copy the entire block of API scopes. Under the “Add a new client ID” box in the Google admin console, paste the API Scopes into the OAuth scopes (comma-delimited) field.
- Click Authorize.
- From the Discovery Education page, click Continue.
- Click Check Connection.
- Once the connection is confirmed to be working, click Map Your Users.
Mapping Google OUs or Groups
Mapping the Google OUs or Groups to Discovery Education tells us to which school(s) the teacher and student accounts should belong.
Please review the Mapping Nuances at the bottom of the Mapping Wizard to understand the capabilities and limitations of this process.
When mapping OUs, any users who are below that level of the hierarchy will be included.
- Multiple OUs can be mapped to each field.
- For schools, both staff OUs and student OUs should be mapped.
- For staff, the OUs should be mapped to both the Schools and Teachers fields.
- For students, the OUs should be mapped to the Schools, Students, and Grades fields.
- If students are not split out by Grade OUs, then choose one grade level to map the OU.
- Hold ctrl while choosing the Groups/OUs to select multiple at a time.
- Typing in keywords will filter the OU list. Eg. “Grade 5” will filter OUs containing that string.
Once all fields are mapped, click Test Mapping to generate a preview for the data that will be pulled. If all Schools and Users are represented in the preview, click Save Mapping. Navigating away from the page before clicking Save Mapping will lose any changes.
Example OU Structure Mapping
Below is an example OU structure and how it would be mapped. OU structures will vary and may not be structured in a way that allows proper mapping. Both teachers and students must be within OUs that are divided by Site (School).
Option 2: CSV Imports
If your Google OU/Group structure does not comply with the mapping requirements, then the .csv import system must be utilized for user management data. Information regarding the .csv templates, data requirements, and SFTP automation can be found in the Imports for Single Sign-On guide. For questions, please contact the Customer and Technical Support team at 1-800-323-9084 or email technical_integrations@discoveryed.com.
Once your mapping is saved, please alert your Discovery Education technical integrations specialist by replying to technical_integrations@discoveryed.com to confirm your launch date.