Audience: (ClassLink Administrator)
Before you can effectively export to a destination, you will need to authorize access to that destination. Based on the destination type, you will have to follow different steps based on authorization type. Authorization for Active Directory occurs at the beginning of the destination creation process, while authorization for GSuite and Azure occurs after the destination has been created.
Note: When adding GSuite and Microsoft Azure accounts as destinations, you must have pop-ups unblocked in order to allow a pop-up that will prompt you for account credentials and authorize a connection. GSuite and Azure destinations also require additional setup to register the OneSync API. See below for details.
- Active Directory (Authorization)
- GSuite (Obtaining a Client ID & Secret)
- Azure (Obtaining a Client ID & Secret)
Active Directory (Authorization)
When creating an Active Directory destination, you will be prompted for your authorization credentials at the beginning of the destination creation process. You will need your username, password, domain, base path, and port. OneSync currently only supports LDAP protocols. You can then press the "Test Connection" button to check your credentials. If you entered them correctly, this button will show "Connected".
Note: OneSync can connect to your Active Directory and the "Test Connection" button will show "Connected" if you use an IP address in place of your domain. However, not all destination functions will work with an IP address, mainly Groups. We thus advise that you enter your domain name and not an IP address.
GSuite (Obtaining a Client ID & Secret)
To export to a GSuite destination, you must first register the OneSync API to allow it access to your Google Account using an API Client ID & secret.
To register OneSync, navigate and sign into https://console.developers.google.com/. This will bring you to Google APIs ' Dashboard, where you must first create a project. Click the dropdown shown below and then click "New Project".
You will create a new project called "ClassLink" that you will register the API to.
Next, navigate to the Credentials tab on your left, click "Create credentials", and choose "OAuth client ID" from the dropdown.
From the list of application types, choose "Web application" and click "Create". Name your client ID "OneSync". For authorized redirect URIs, add "http://localhost/oauth2" or your dedicated URL, if not using localhost, then click "Create". This will generate a Client ID (key) and Client Secret, which you will then enter into your GSuite destination's details.
Note: If you ever reset your Client Secret, this will generate a new Client ID and secret that you must re-enter into your destination's details.
Once that is completed, you will need to enable the "Admin SDK" for the project. If you navigate back to the Google APIs ' Dashboard, you can click library where you can search for "Admin SDK".
Azure (Obtaining a Client ID & Secret)
To export to an Azure destination, you must first register the OneSync API to allow it access to your Azure Active Directory Account using an API Client ID & secret.
To register OneSync, navigate and sign into Azure Portal. Then look over at the navigation menu on the left. Go to Azure Active Directory > App Registrations > Microsoft Application Console.
Click the "Add an App" button to register your application. Name your application "OneSync", check off Guided Setup, and click "Create". Next you will be redirected to an Authentication page. When prompted for what kind of app OneSync is, click "Web API and "ASP.NET Web App".
Now navigate back to the Microsoft Application Console. Click the name of your newly registered application.
This will direct you to your application's registration page. The Application ID is your Client ID. Below the Application Secrets header, you can click the "Generate New Password" button to obtain a Secret. Keep these credentials as they are needed to complete a OneSync destination's authorization. Note: The Client ID will still be visible after registration, but your secret is only shown once. If you ever lose your secret, you will need to regenerate a new password.
Below the Applications Secrets section is the Platforms section where you will add the URLs that will call the OneSync API. Click "Add Platform" to choose the type of URL.
Click "Web" and enter your URL. Repeat this process for each URL that you'd like to add.
Past the Platforms section is the Microsoft Graph Permissions where you will grant the OneSync API permissions to ensure proper authorization. In the subsection Delegated Permissions, you will click "Add" to select these permissions. A list of permissions will appear. Check the following permissions: offline_access, openid, Directory.ReadWrite.All, and Directory.AccessAsUser.All.
Additionally, if needed, you can also find your Azure account's tenant ID at Azure Active Directory > Properties > Directory ID.
Updated: Jan 2019