Configure OpenID Connect Google login
You will use this article when you need to configure Google login as an authentication method (using OpenID Connect).
Step-by-step guide
- Log in to https://console.developers.google.com/ with a Google account.
- Create a new project
- Once created, select your project and choose "Credentials"
- Click the button "Create credentials" and choose "OAuth client ID"
- Choose web application
- In the "OAuth consent screen" fill in at least the Application name field and also
add your domain (e.g. smartplan.com) to "Authorized Domains." Press Enter and then press Save.
- Select "web application" and give it a name. Click "Create"
- You will see your client ID and your client secret in a screen like this:
- The next step is to create and configure OpenID Connect authentication method using SSO management API. You can find example REST calls in attached postman collection: Register OpenID Connect Google method.postman_collection.json Review also the product documentation for "OpenID Connect authentication method" for the IDS version you are using.
- Copy the redirect URI from registration request and paste it to the list of authorized redirect URIs in Google API console (First, go to "Credentials" and select the web client):
- From now on, you must configure an application to use the newly created method.
- In this how-to article, we will connect to Sample SAML application.
- New authentication methods must be expressly enabled before use on a site by site basis. You must enable the authentication method on the site where it will be used. Choose the site where the target application is configured from the Site Navigator and open the Site Methods tab. Choose Add Method... and select the Google method you created with SSO management API.
- Then in tab "Applications" add the application (sample, in this case).
- For access control, we will create a dynamic group called "googleuser" where membership is based on the authentication method used to login. In the site view, choose Groups, New Group..., enter the name "googleuser", and select the Google authentication method from the Allowed Methods tab.
- Now it's time to configure your application. On the site navigator, select the site where your application is located (e.g. Applications site), go to tab "Application" and click on your application (e.g. sample).
- In "Allowed methods" tab, enable Google authentication method and press "Update."
- In "Allowed To" tab, add the group of users that are allowed to access the application (e.g. googleuser).
- Now the configuration is done and a Google user should be able to log in to sample application (or any application you wish to).
- Open the application in a new browser tab. Depending how you installed your sample application, the URL should be similar to: http://localhost:8090/sample/
- When you press login, a Ubisecure login page will prompt:
Observe that if you hover the additional button under "Sign in With," this corresponds to Google authentication. - Click on the button and you will be redirected to Google login page:
- Log in with your Google credentials and you will see a screen like this:
- Use an authorization policy to map the attributes names sent by Google to the attribute names expected by your application. Filter any unused attributes.
- (Optional) Directory user mapping can be used to look up an existing database user with matching attributes (see Directory User Mapping)
- (Optional) User Driven Federation can be used to allow a user to link their google account to an existing database user when there are no matching attributes (see User Driven Federation)
- To customize the logo used, see method-image.index settings.
To customize the text shown when hovering on the button, edit the "Title" field in the authentication method:
Related articles
General parameters for selected OAuth 2.0 Identity Providers - SSO