Reporting of 3rd Party Authentications in Google Apps for Education

 

Unlike Federation technologies like SAML, CAS or Shibboleth that are centrally controlled and must be established by the identity provider, social sign-ons such as Open ID Connect in Google Apps for Education are initiated by the end user. This means that while an institution has a high degree of awareness and control over 3rd party systems that authenticate via SAML, there is much less control or visibility into social sign-ons such as “Login with Google” for Google Apps for Education (GSuite) institutions.

There are several commercially available tools that will report on this data, and this can also be done via the free command line tool GAM with the  domain report which includes much more than just 3rd party authentications.

For anyone looking for a simple way of auditing 3rd party authentications, this Google Apps script, which needs to be run by an account with google administrator privileges, produces a report of all of the 3rd party tools (websites, apps, extensions) that the users in the domain have granted authentication to (e.g. via a “login with Google” button). The report lists the total number of users in the domain that have authenticated to that tool, the tool name and the tool id.

To run the report:

  • Login to an account with Google Admin rights and create a new folder.
  • Get the Folder ID (the long GUID in the URL).
  • From Google Drive, create an new Google Apps script and  paste in the code below, replacing  with the folder ID.
  • From the Resources> advanced services menu, enable the Admin Reports API.
  • From the   Resources> Developer Console menu, enable  the Admin SDK API.
  • Run the Script (or use the “current project’s trigger” menu to run the script on a set schedule)
function createAppReport() {
  var today = new Date();
  var oneWeekAgo = new Date(today.getTime() - 7 * 24 * 60 * 60 * 1000);
  var timezone = Session.getTimeZone();
  var date = Utilities.formatDate(oneWeekAgo, timezone, 'yyyy-MM-dd');
  var rows = [];
  var parameters = [
    'accounts:authorized_apps'
    ];
 
    var pageToken, page;
   // var ss = SpreadsheetApp.getActiveSpreadsheet();
   // var sheet = ss.getSheets()[0];
   // sheet.clear();
 
 
//create a new spreadsheet
  var my_ss = "3rd Party Apps_" + oneWeekAgo;
  var files = DriveApp.getFilesByName(my_ss);
  var file = !files.hasNext() ? SpreadsheetApp.create(my_ss) : files.next();
  var ss = SpreadsheetApp.openById(file.getId());
 
 
  try 
  {
     ss.setActiveSheet(ss.getSheetByName(my_sheet));
  } catch (e){;} 
  var sheet = ss.getActiveSheet();
  sheet.clear();
 
    var response = AdminReports.CustomerUsageReports.get(date, {
     parameters: parameters.join(','),
     pageToken: pageToken
    });
 
  var activities = response.usageReports[0].parameters[0].msgValue;
      for (i = 0; i < activities.length; i++) {
          var activity = activities[i];
        
             var row = [
                activity.num_users,
                activity.client_name,
                activity.client_id,
                oneWeekAgo
              ];
            rows.push(row);
}
 
     // Append the headers.
    var headers = ['num_users', 'client_name', 'Login client_id', 'Date'];
    sheet.appendRow(headers);
    sheet.getRange(1,1,1,headers.length).setFontWeight("bold");
 
     // Append the results.
    sheet.getRange(2, 1, rows.length, headers.length).setValues(rows);
 
// Sorts the sheet by the first column, descending
    sheet.sort(1, false);
 
//Moves the file into the Reports folder
  var fileID= ss.getId();
  fileMove(fileID);
 
}
 
 
function fileMove(fileID) {
  var file = DriveApp.getFileById(fileID);
  var folder= DriveApp.getFolderById('REPLACE FOLDER ID HERE');
 
  // Remove the file from all parent folders
  var parents = file.getParents();
  while (parents.hasNext()) {
    var parent = parents.next();
    parent.removeFile(file);
  }
  folder.addFile(file)
}
 

One thought on “Reporting of 3rd Party Authentications in Google Apps for Education

Comments are closed.