Configuring Google Workspace for domain user authorization

This topic describes an alternative method to configuring Google Workspace for One-Touch Join in environments where the recommended method of using a service account for authorization is not desirable. This alternative method uses a domain user for authorization (referred to as the "authorization user"), which authenticates to Google Workspace using 3-legged OAuth.

The process involves the following steps, described in more detail in the sections that follow:

  1. Setting up OAuth authentication for One-Touch Join.
  2. Creating a room resource for each physical room that will have a One-Touch Join endpoint in it.
  3. Configuring the room resource with the necessary permissions and settings to support One-Touch Join.
  4. Updating the quota for the number of user requests per 100 seconds.
  5. For larger deployments, Requesting an increase to API limits.
  6. Adding a One-Touch Join Google Workspace integration on Pexip Infinity.

If you have already set up a One-Touch Join Google Workspace integration and simply wish to add an existing room to it, you need only configure the room resource in Google Workspace and then add the endpoint to the Google Workspace integration in Pexip Infinity.

Prerequisites

You must have already created a user account specifically to be used as the Google Workspace authorization user. This user account does not need to have any special privileges; as part of the configuration described below you will grant this user access to all the One-Touch Join room resource calendars.

In this step you create a project to use for One-Touch Join. You then enable the Calendar API for this project, and create the OAuth credentials to be used when One-Touch Join accesses the API as the authorization user.
  1. Creating a new project:
    1. Go to https://console.developers.google.com (logged in as a Google Workspace administrator).

    2. From the top left of the page, select the down arrow:

    3. Select New Project.
    4. Enter a Project name (e.g. One-Touch Join) and select Create.
  2. Enabling the Calendar API for the project:
    1. Go to https://console.developers.google.com

    2. From the top left of the page, select the down arrow, select your newly-created project, and select Open. Your new project should now be showing at the top left of the page:

    3. From the navigation menu on the left of the screen, select APIs & Services > Library, then scroll down and select the Google Calendar API tile:

    4. Select Enable:

  3. Creating an OAuth consent screen:

    1. From https://console.developers.google.com, from the left-hand panel select OAuth consent screen. Select a User Type of Internal and then select Create:

    2. From the OAuth consent screen page:

      • under Application name, enter a name for your OTJ application
      • under Authorized domains, enter the domain of the Management Node.

      Select Save:

  4. Creating the OAuth credentials:

    1. From https://console.developers.google.com, from the left-hand panel select Credentials and then select Create Credentials > OAuth client ID:

    2. From the Create OAuth client ID page:, select an Application type of Web application.

      • Enter a Name for the application

      • under Authorized redirect URIs, enter https://<Management Node FQDN>/admin/platform/mjxgoogledeployment/oauth_redirect/

        This must use the Management Node's FQDN; it cannot use its IP address. You must therefore ensure you have appropriate internal DNS records set up for the Management Node.

        The OAuth Redirect URI is the page on the Pexip Infinity Administrator interface the administrator is sent to, after they have successfully signed in to the Google Workspace integration. Because it is a page on the Management Node, this URI is internal to your deployment and only needs to be accessible from the administrator's web browser; you do not need to make it externally accessible.

      Select Create:

    3. The following OAuth client created screen will appear. Take note of the Your Client ID and Your Client secret; you will need these when Adding a One-Touch Join Google Workspace integration on Pexip Infinity on the Management Node:

(Required only if your room resources do not already exist - otherwise you can skip this step.)

In this step, you create a room resource in Google Workspace for each physical room that is to be used for One-Touch Join. Google Workspace will automatically assign an email address to the room.

  1. If a building for the room resource does not already exist, create one as follows:

    1. Go to https://admin.google.com (logged in as a Google Workspace administrator).

    2. Select the Buildings and resources tile, and then from the Resource management section select Open:

      From the drop-down along the top left of the screen, select Buildings:

    3. Select + to Add new building:

    4. Enter a Name and the list of Floors, and select Add Building.

  2. Create the room resource:

    1. Go back to the Resources page and Select + to Add new resource:

    2. For the Category, select Meeting space (room, phone booth,...).

    3. Select the Building and Floor in which the room is located, enter a Name and the room's Capacity, then select Add Resource:

The resource will be created and added to the list. You can click on the new resource to view information about it, such as the email address it was automatically assigned.

For more information on setting up buildings and other resources in Google Workspace, including how to add buildings and resource in bulk and using CSV imports, see https://support.google.com/a/answer/1033925.

In these steps, you allow the authorization user to access each calendar of each room resource that you want to use for One-Touch Join, and set the calendar to auto-accept invitations. We also recommend that you make the calendar available to all users in your domain in such a way that allows them to book meetings using the resource, without being able to view the details of any other meetings in the resource's calendar.

Sharing individual calendars with the authorization user

Note that the Google calendar API limits the number of calendars that can be shared within a 24 hour period to 750 (for more information, see this Google article). This means that if you have more than 750 room resources that you wish to use for OTJ, they will need to be set up over a period of days.

To share calendars with the authorization user:

  1. Go to https://calendar.google.com (logged in as a Google Workspace administrator so that you have permission to share the calendars).
  2. From the left-hand panel, select the + next to Other calendars and then select Browse resources.

  3. Expand the sections if necessary, and tick the boxes of all the room resources whose calendars you want to share with the authorization user.

    This will add the room resources to the Settings for other calendars section in the left-hand panel.

  4. For each of the rooms:

    1. From the Settings for my calendars section, select the room resource and then select Share with specific people.
    2. Select Add people.

    3. In the Share with specific people dialog, enter the email address of the One-Touch Join authorization user. Ensure the Permissions are set to either:

      • Make changes to events (if you want users to be able to use OTJ to join all meetings, including private meetings, from this endpoint)
      • See all event details (if you don't want to offer OTJ for private meetings on this endpoint).

      4. If your deployment includes personal endpoints that are associated with a user's personal calendar, then either you or the end user will need to ensure that their calendar allows the One-Touch Join authorization user to Make changes to events if they wish to use OTJ to join their own private meetings from their endpoint.

For more information on sharing room and resource calendars in Google Workspace, see https://support.google.com/a/answer/1034381.

Auto-accepting invitations

By default, when creating room resources in Google Workspace, calendar processing is set to Auto-accept invitations that do not conflict. You must ensure you keep this setting for all room resources, so that the room will automatically accept meeting requests if it is available, and automatically decline an invitation if it is already booked.

To check this setting:

  1. Go to https://calendar.google.com (logged in as a Google Workspace administrator so that you have permission to share the calendars).
  2. From the left-hand panel, select the room resource and select Settings and sharing.

  3. In the Auto-accept invitations section, ensure that Auto-accept invitations that do not conflict is selected:

Allowing users to book resources

We recommend that you configure your Google Workspace calendar settings to allow end users to book a room resource without seeing details of the room's other bookings. To do this, you configure the room resource's calendar so that all users in your domain have permission to see its free/busy status, without being able to see the invitation details. You then on a global basis permit users to book resources to which they have free/busy access.

To do this:

  1. Go to https://calendar.google.com (logged in as a Google Workspace administrator so that you have permission to share the calendars).
  2. From the left-hand panel, select the room resource and select Settings and sharing.

  3. In the Access permissions section, select Make available for <your domain>, and ensure that See only free/busy (hide details) is selected:

  4. Go to admin.google.com (logged in as a Google Workspace administrator).
  5. From the left-hand menu, select Apps > Google Workspace > Calendar.
  6. Scroll down to General settings and select Resource booking permissions.

  7. Ensure that Allow users to book resources that are shared as See only free/busy is set to ON:

In this step you increase the limit on the number of queries per 100 seconds per user to the Google Calendar API.

The default number of queries per 100 seconds per user is 500. In this context, the "user" is the authorization user. In deployments with fewer than around 180 rooms, each room resource calendar is queried every 30 seconds by two conferencing nodes (both using the same authorization user account), resulting in 5,760 queries per room per day. (In larger deployments, room resource calendars are queried less frequently.)

We recommend that you increase the number of queries per 100 seconds per user to 10,000 to provide sufficient processing overhead and room for expansion (there is currently no additional cost to this increase).

To increase this quota to 10,000:

  1. Go to https://console.developers.google.com (logged in as a Google Workspace administrator).

  2. From the top left of the page, select the project you created for One-Touch Join:

  3. From the navigation menu at the top left of the page, select IAM & admin > Quotas.

  4. From the Quotas page, select Edit Quotas and then select Google Calendar API - Queries per 100 seconds per user.

    You will be taken to the Google Calendar API > Quotas page.

  5. Change Queries per 100 seconds per user to 10,000:

    You may also need to request an increase to the number of Queries per day for larger deployments - for more information, see Requesting an increase to API limits.

This optional step applies to larger deployments only (more than around 170 room resources), and should be performed if you wish to reduce the amount of time taken for endpoints to be updated with additions or changes to their corresponding room resource calendar.

The maximum frequency with which an endpoint will be updated with meeting information is every 30 seconds. For deployments with more than around 170 endpoints, this frequency will decrease in line with the number of endpoints (up to around 20 minutes for deployments with around 6,000 endpoints). This is due to a limit on the number of Calendar API requests permitted by Google in a 24-hour period — for more information, see https://developers.google.com/calendar/pricing.

To reduce the time taken to update endpoints in these larger deployments, you can request an increase to the number of Calendar API requests One-Touch Join can make.

When your request has been implemented by Google, you must then increase the Maximum Google Workspace API requests on Pexip Infinity in order to take advantage of the increase.

To request an increase to the API limits:

  1. If you do not already have one, create a Cloud Billing Account (note that this is different from a Google Workspace billing account).

    Full instructions are available via https://cloud.google.com/billing/docs/how-to/manage-billing-account#create_a_new_billing_account.

  2. Link the Cloud Billing Account to the project you created when Creating a service account:

    1. Go to https://console.developers.google.com (logged in as a Google Workspace administrator).
    2. Ensure that the project shown in the top left corner is the one you created for One-Touch Join when Creating a service account.

    3. Select the burger menu from the top left of the page and select Billing. When the following message appears, select Link a billing account:

    4. Select the account to link to:

  3. Request an increase to your quota:

    1. From the navigation menu at the top left of the page, select IAM & admin > Quotas.

    2. From the Quotas page, select Edit Quotas and then select Google Calendar API.

      In the panel that appears on the right, enter the New quota limit that you wish to request, and in the Request description field, enter the reason for requesting the increase:

    3. Select Submit request.

Quota increase requests typically take two business days to process.

In this step you configure Pexip Infinity with details of the Google Workspace deployment configured above. You must then log in to Google Workspace as the authorization user and grant the One-Touch Join app access to the room resource calendars.

Configuring the Google Workspace integration

From the Pexip Infinity Administrator interface, go to One-Touch Join > OTJ Google Workspace integrations.

Option Description
Name The name of this One-Touch JoinGoogle Workspace integration.
Description An optional description of this One-Touch JoinGoogle Workspace integration.
Account email

If you are authorizing using a service account, enter the email address of the service account that One-Touch Join will use to log in to Google Workspace.

If you are authorizing using a Google Workspace domain user, enter the email address of the user.
Enable user authorization

If you are authorizing using a service account — the recommended method — this should be left blank.

Select this option only if you will be authorizing using a Google Workspace domain user.
Client ID

(Available when user consent authorization has been enabled)

The client ID of the application you created in the Google API Console, for use by OTJ.
Client secret

(Available when user consent authorization has been enabled)

The client secret of the application you created in the Google API Console, for use by OTJ.
Redirect URI

(Available when user consent authorization has been enabled)

The redirect URI you configured in the Google API Console. It must be in the format:
https://<Management Node FQDN>/admin/platform/mjxgoogledeployment/oauth_redirect/

This must use the Management Node's FQDN; it cannot use its IP address. You must therefore ensure you have appropriate internal DNS records set up for the Management Node.
Advanced options
Maximum Google Workspace API requests

The maximum number of API requests that can be made by One-Touch Join to your Google Workspace Domain in a 24-hour period.

We recommend you set this value to 90% of your total permitted requests. Google's default is 1,000,000 so by default this is set to 900,000 on Pexip Infinity. If you increase the number of API requests, you should also increase this setting to 90% of that number.

For more information, see Frequency of and limitations on calendar requests.
Google OAuth 2.0 endpoint The URI of the Google OAuth 2.0 endpoint.
Google authorization server The URI of the Google authorization server.

When you have completed the above fields, select Save. You will be returned to the main OTJ Google Workspace Integration page. You must now authorize calendar API access to the Google Workspace Integration using the account details you have just created, using the following steps.

Authorizing calendar access

If you have enabled OAuth for the first time, after saving the configuration of the One-Touch Join Google Workspace integration you must sign in to Google Workspace as the authorization user.

You may also need to re-sign in to the authorization user account if:

  • you disable and then subsequently re-enable OAuth
  • you update any of the following configuration for the One-Touch Join Google Workspace integration:
    • Account email
    • Client ID
    • Client secret
    • Google OAuth 2.0 endpoint
    • Google authorization server
  • the refresh token has expired (for more information about when this might happen, see https://developers.google.com/identity/protocols/oauth2#expiration).

To sign in to Google Workspace as the authorization user:

  1. Ensure you have signed out of all Google accounts on your device.

  2. From the Management Node, go to One-touch join > OTJ Google Workspace Integrations and select the Google Workspace integration you have just created. At the bottom of the Change OTJ Google Workspace integration page, select Authorize calendar API access:

  3. You will be taken to the Authorize Calendar API access page. Select Authorize:

  4. Enter the email address of the authorization user (which you previously entered as the Account email) and sign in.

  5. At the consent screen, Allow the Pexip OTJ app to View your calendars:

  6. You may be asked to sign in to the Management Node again. If so, you must sign in to the Management Node (using your Management Node credentials) to complete the process of signing in as the authorization user.

When complete, you are returned to the Authorize Calendar API access page and see the message Successfully authorized.

Next steps

You must now configure the remainder of the One-Touch Join components on Pexip Infinity, as described in Configuring Pexip Infinity for One-Touch Join.