Self Hosted G Suite Customers

Self Hosted Gsuite Customers

For customers that will be deployed to their own self-hosted server Bulk Upload and Individual GSuite agent additions are currently supported.

A new Google App is required for customers that will be self-hosted.

Steps to create a new Google App under a customer’s G-Suite account

  1. From the APIs & Services section of a GCP account:
    1. Click on Create OAuth client ID.
    2. Select Web application as the application type
    3. Under Authorised JavaScript origins, set the portal URL
    1. Under Authorised redirect URIs, set the following URLs:
    1. Take note of the Client ID & Client Secret generated for the web app
    2. Navigate to the Service Accounts section of the GCP console and click on Create Service Account
      1. Assign the Project Owner Role to the Service Account
      2. Take note of the Unique ID and download the JSON file for your service account.
    3. Navigate to the OAuth consent screen.
      1. Set application type to Public
      2. Set the following Google API scopes:
https://www.googleapis.com/auth/userinfo.email View your email address
https://www.googleapis.com/auth/userinfo.profile See your personal info, including any personal info you’ve made publicly available
openid Associate you with your personal info on Google
https://www.googleapis.com/auth/gmail.metadata View your email message metadata such as labels and headers, but not the email body
    1. Underneath Authorised domains set the Top level domain for your portal
      e.g for application URL portal.timetoreply™.com set the Authorised domain as timetoreply™.com

      1. Configure the following links
  • Application Homepage link

https://site-url.com

  • Application Privacy Policy link

https://site-url.com/privacy-policy

  • Application Terms of Service link (Optional)

https://timetoreply.com/terms-and-conditions/

      1. Click on Submit for Verification
    1. Navigate to the Domain Verification section of GCP
      1. Enter the TLD for the portal domain.
      2. Add the appropriate TXT or CNAME record as instructed on screen to complete the domain verification

NOTE: OAuth consent screen goes through a verification process at Google. Google will send an email to the address specified as the support email that you entered as part of the Oauth consent screen once they have completed this process.

Please wait for verification confirmation before proceeding.

  1. On the TTR application server the following environment file variables will need to be set by a TTR developer or deployment engineer:
  • GOOGLE_APPLICATION_NAME=’Google Application Name’
  • GOOGLE_CLIENT_ID=’Google Application Client ID’
  • GOOGLE_CLIENT_SECRET=’Google Application Secret’
  • GOOGLE_REDIRECT=https://portal-url/account/google/auth
  • GOOGLE_REDIRECT_FOR_INVITE=https://portal-url/gmail-auth
  • GOOGLE_REDIRECT_FOR_REAUTH=https://portal-url/gmail-re-auth
  • GOOGLE_SERVICE_ACCOUNT_ENABLED=true
  • GOOGLE_SERVICE_ACCOUNT_JSON_LOCATION=“filename.json”
  • GOOGLE_SERVICE_ID=’Google Service Account ID’

The JSON file created for the Service Account that authenticates to the Google Web application will need to placed in the /storage folder underneath the TTR application on the server.

  1. Permissions will need to be granted for the timetoreply™ app under the customers Google Admin Console
    1. Complete the following steps in the customer’s G Suite account in order to allow the timetoreply™ app to poll the domain.

These steps will grant timetoreply™ permission to read Gmail Metadata, and read a list of all the users on the customers G Suite Account

    1. Visit https://admin.google.com to log in to your G Suite Admin Panel
    2. Click “Security”
    3. Click “Advanced settings”
    4. Click “Manage API client access”
    5. You should be presented with a screen that allows you to add a new API client, and shows your existing API Clients. 
    6. Should you ever wish to revoke access to your G Suite Account, you can simply remove our Client ID from this screen.
    7. For Client Name, enter timetoreply™ app Client ID generated for the Web Application in GCP
    8. For “One or More API Scopes”, enter the following:

https://www.googleapis.com/auth/gmail.metadata, https://www.googleapis.com/auth/admin.directory.user.readonly

Once an agent has been invited an email invitation will be sent to their G-Suite account.

Clicking on the authorization link within the mail will grant timetoreply™ permissions to read the customers email metadata, which we will use for the sole purpose of monitoring and reporting.

As the Google App has not been verified by Google, agents will see the following message when trying to complete the authorization process:

This app isn’t verified

This app hasn’t been verified by Google yet. Only proceed if you know and trust the developer.

The agent will need to click proceed to ignore the browser warning and complete the authorization.

By authorizing, agents grant the timetoreply™ application permissions to view their email message metadata such as labels and headers, but not the email body or attachments.

Tokens

After a customer has authenticated using a G-suite administrator account via the timetoreply™ Portal, a token is stored for that administrator account in the database.

The timetoreply™ system does not store username or password information for administrator accounts.

Each time the ‘G-Suite Agent Bulk Add’ section is accessed the token is invoked to poll the domain.

For Agents added via the bulk add method, as well as those added individually, a token created is for their individual account.

Tokens created for agents added via the bulk add method become the child to the parent token created by the administrator account used to authenticate for the G-Suite domain.

Once the timetoreply™ solution is deployed (self-hosted), external access to the application database will be closed off by the customer.

Tokens generated by the timetoreply™ system will never leave the customer’s network and will be inaccessible externally.

Token access can be revoked from your Gsuite Admin Dashboard or from the timetoreply™ dashboard by going to Settings -> Email Service Authentication -> View Microsoft Authentications -> Delete the relevant credential.