Google IdP Configuration

You can configure Google as Identity Provider (IdP) in the Onegini IDP. The Onegini IDP uses OAuth 2.0 protocol to integrate with Google APIs. This chapter will guide you though all steps that are required to fully configure and use the Google IdP with the Onegini IDP.

What is required?

To successfully complete this topic guide you need to ensure following prerequisites:

  • Onegini IDP instance must to be running, for the sake of this guide we assume it's available under http://idp-core.dev.onegini.me address
  • Onegini IDP must have the Username & password identity provider configured

Configure Google identity provider

To register a Google IdP within the Onegini IDP as an Identity Provider first you need to create an application on Google platform and obtain it's Client ID and Client Secret. Please check official Google documentation to see how it can be done. Next visit the http://idp-core.dev.onegini.me:8082/admin page and login to the Onegini IDP admin console. Select Config menu option and navigate to Identity Providers tab. Hit the + button to create a new Identity Provider configuration. Fill in the form as follows:

  1. Type - open the dropdown list and select Google
  2. Name - name your Google IdP instance
  3. Authentication Level - choose desired authentication level
  4. Enabled - mark your Identity Provider as enabled
  5. OAuth attributes - paste your Google Client ID as Client ID and Client Secret as Client Secret. Client Scope can be set to https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/user.addresses.read https://www.googleapis.com/auth/user.birthday.read https://www.googleapis.com/auth/user.phonenumbers.read or other value depending on the expected type of data. If left blank default https://www.googleapis.com/auth/profile scope will be used. You can read more about supported scopes in the official Google documentation
  6. Attributes mappings - as you already noticed the Onegini IDP within the configuration form also gives you option to define the attribute mappings. It's a very useful functionality which let's you define "translations" for user's profile and custom attributes. The automatic Sign-up (Just-In-Time-Sign-up) functionality requires at least Email address attribute to mapped from the external identity provider (Google). Depending on the scope that you use you can also provide additional mappings for other fields. To get more info about attribute mappings please check the Attribute Mappings topic guide.

Example attribute mappings configuration for Google IdP could look as follows:

Attribute to map to Attribute to map from
Surname familyName
Given name givenName
Display name displayName
Gender gender
Email emailAddress
Phone number phoneNumber
Street address streetAddress
City city
State or province region
Postal code postalCode
Country country
Date of birth birthday

Configure automatic sign-up feature in Onegini IDP

After successful defining the new Google IdP configuration in the Onegini IDP's admin console please select the Config menu option and navigate to the Feature management tab and check Just-in-time external IdP sign-up enabled in Processes section. The Bind multiple social accounts with one CIM-account feature instructs the Onegini IDP to automatically couple the Google account with an account which already exists within the Onegini IDP. Please note that the coupling will only take place in case a person with the email address returned by the Google's services will be already registered within the Onegini IDP.

Testing

To test automatic sign-up with Google please try login to Onegini IDP by selecting Google identity provider available on login page. If everything was configured correctly the new person account should be created automatically without showing the sign-up form, instead you should be redirected straight to the personal dashboard page.