Integrating with Google Workspace for Education Fundamentals

The Process in a Nutshell

Here's a summary of what you'll need to do to get your instance of Populi integrated with your Google Workspace for Education Fundamentals (or whatever it's called this week) account using Single Sign-On.

1. Create a Google Super Administrator Account for Populi (e.g. populi@schooldomain.edu).
2. Set up an SPF record to allow Populi to send email on behalf of your .edu domain.
3. Confirm that all Google Apps users have matching Populi user accounts. For example, Populi user jimbob04 must also be Google Apps user jimbob04@school.edu. If usernames do not match up exactly, those users won't be able to log in after the integration!
4. If you'd like to import calendars from Populi Calendar to Google Calendar, tell us which Calendars. We can import the Populi "School Calendar," but not individual Populi User Calendars. If you've already been using Google Calendar, importing Populi Calendars might duplicate events.
5. Notify your users of the upcoming changes:
   • They will now log in to Google with their Populi password.
   • They will need to update passwords and possibly other settings in desktop clients like Outlook and Thunderbird.
   • Their Populi Calendars—both personal and college—will disappear; they will receive automatic read-only subscriptions to your school's Google Shared Calendar.
   • Set up a time with us to flip the switch (we really don't recommend the middle of a workday for this!). Depending on your email migration plan, you may need to point your MX records at Google right before we make the change.

Give Populi an Administrator Account

Once you've activated your free GWEF account, log in to the Apps control panel and create a Super Administrator account for Populi (e.g. populi@schooldomain.edu); send the welcome email to support@populiweb.com. Populi uses this account to automate user-creation (that is, add email and calendar accounts in Google Apps)—so make sure it has Super Administrator-level access!

Check your SPF DNS Record

Next, to ensure proper email delivery, have your IT staff ensure that your domain has an SPF DNS Record that looks something like this:

v=spf1 a mx include:email.populi.co include:_spf.google.com ~all

Refer to this article for the details.

Notify Populi Support

Once you've completed the previous steps, let us know the Populi-specific username and password by contacting Populi Support. Please allow a few days for Populi Support to accomplish the steps below. In addition to the below steps, Populi Support also does an analysis of your GWEF setup and makes sure that the integration will be successful. Google regularly changes the way their consoles are designed which often result in having to do more research to make sure the setup is successful. Below are our internal instructions to ourselves, presented to you so you know which settings we'll be changing and why:

In https://admin.google.com...

1. Search for Set up single sign-on (SSO) with a third party IdP and click on the top result.
2. Click Set up single sign-on (SSO).
3. We'll upload a verification certificate to ensure secure communication between Google and Populi. We'll also change the following settings:
   • Sign-in page URL: https://yourcollegedomain.populiweb.com/router/saml/idp/receive
   • Sign-out page URL: https://yourcollege.populiweb.com/internal/
   • Change password URL: https://yourcollege.populiweb.com/internal/people/change_my_password.php
   • Check Use a domain specific issuer
Enable API Access. This allows Populi to automatically create and suspend Google Apps user accounts. (Note: this step may be deprecated due to recent design changes and the new App Access Control settings.)

Then, in https://console.developers.google.com...

1. We'll create a new Project called Populi API. (Note: You may need to enable the developer console in the admin console. Search for Google Developers Console or Google Cloud Platform))
2. We'll then enable the following settings:
   • Google Calendar API
   • Admin SDK
   • Gmail API
   • All Quotas: we'll set the per-user limit to the maximum value to accommodate the Calendar API
   • Service Accounts: We'll create a new account named Populi Service Account, set the Role to Project Owner, and check the boxes for Furnish a new private key and Enable Google Apps Domain-wide Delegation.
3. The Service Account JSON key should automatically download (this might only work in Google Chrome).

Then, over in Populi...

1. In Account > Account Settings > Integrations > Google Apps JSON Private Key, paste that JSON key you just downloaded.
2. In Populi > Account > Account Settings > Single Sign-On (IdP), set Should other applications be allowed to authenticate against Populi? to Always let other applications authenticate.

Then back over in https://admin.google.com...

1. Go to Security > API Controls > App access control > Manage Domain Wide Delegation.
2. Set the Client Name to the client_id as specified in the JSON private key you just downloaded.
3. Set the Scopes to:

                   
                   https://www.googleapis.com/auth/calendar,
                   https://www.googleapis.com/auth/admin.directory.user,
                   https://apps-apis.google.com/a/feeds/emailsettings/2.0/,
                   https://www.googleapis.com/auth/gmail.labels,
                   https://www.googleapis.com/auth/gmail.settings.basic
   
               

Activate the Integration

Once these settings are complete, we will confirm a time with you to activate the integration.

1. You'll go to admin.google.com > Security > SSO With Third-party IDPs.
2. Check next to Set up SSO with third-party identity provider.
3. Click Save. This turns on the SSO integration on the Google side.
4. We will simultaneously activate a similar setting internally at the Populi side.

Once the integration is activated, any previous Google Apps passwords will no longer work—it will instead require a valid Populi username and password. Depending on your preference, we may change some Populi usernames to be the same as Google Apps usernames (or the other way around), but that should be fairly rare.

Let your users know about this several days before the integration is activated. Explain to them how their login process to Google Apps will change.

What happens in Populi now?

Read more about this in Questions about Google Apps.

Users

You can add and suspend user accounts.

When creating a new user, you'll now have the option to create a Google Apps account with the same username. Your users can now log in to Google Apps with their Populi credentials; those same credentials can even connect a desktop email client like Thunderbird or Outlook to GMail.

Email and Calendar Apps

New users will be automatically subscribed to your School Calendar. Users will see events from their personal calendars and the School Calendar on their Home Dashboard.

Once logged into Populi, when you (or any of the users at your institution) click Email or Calendar, it will open the Gmail or Google Calendar accounts you have through your institution.

Composing Email in Populi

There are some limitations with how the Email integration works. To take advantage of some of the advanced Email features in Populi, Populi still uses the native Compose Email view. It opens when you click Email links within Populi (like "Email This Section", "Email Staff", etc.). Messages sent from Populi will show up in a new Sent From Populi folder in Gmail; nor will messages sent from Gmail appear anywhere in Populi.

Use GMail for personal or unofficial correspondence.

Use Populi for official, school-related correspondence, or anything that requires a public record, such as:

• Anything you want to appear on a person's Activity Feed
• Mailing Lists or One-Time Lists
• Emailing students in a course, or groups of people found in Data Slicer Reports, or any other group-emailing you need to do