Google IdP Configuration¶
You can configure Google as Identity Provider (IdP) in the Onegini IdP. The Onegini IdP uses OAuth 2.0 protocol to integrate with Google APIs. This chapter will guide you though all steps that are required to fully configure and use the Google IdP with the Onegini IdP.
Prerequisites¶
To successfully complete this topic guide you need to ensure following prerequisites:
- Onegini IdP instance must to be running, for the sake of this guide we assume it's available under http://idp-core.dev.onegini.me address
- Onegini IdP must have the
Username & password
identity provider configured
Configure Google identity provider¶
To register a Google IdP within the Onegini IdP as an Identity Provider first you need to create an application on Google platform and obtain it's Client ID
and
Client Secret
. Please check official Google documentation to see how it can be done. Next visit the
http://idp-core.dev.onegini.me:8082/admin page and login to the Onegini IdP admin console. Select Config
menu option and navigate to Identity Providers
tab.
Hit the +
button to create a new Identity Provider configuration. Fill in the form as follows:
Type
- open the dropdown list and selectGoogle
Name
- name your Google IdP instanceAuthentication Level
- choose desired authentication levelEnabled
- mark your Identity Provider as enabledOAuth attributes
- paste your GoogleClient ID
asClient ID
andClient Secret
asClient Secret
.Client Scope
can be set tohttps://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/user.addresses.read https://www.googleapis.com/auth/user.birthday.read https://www.googleapis.com/auth/user.phonenumbers.read
or other value depending on the expected type of data. If left blank defaulthttps://www.googleapis.com/auth/profile
scope will be used. You can read more about supported scopes in the official Google documentationAttributes mappings
- as you already noticed the Onegini IdP within the configuration form also gives you option to define the attribute mappings. It's a very useful functionality which let's you define "translations" for user's profile and custom attributes. The automatic Sign-up (Just-In-Time-Sign-up) functionality requires at leastEmail address
attribute to mapped from the external identity provider (Google). Depending on the scope that you use you can also provide additional mappings for other fields. To get more info about attribute mappings please check the Attribute Mappings topic guide.
Example attribute mappings configuration for Google IdP could look as follows:
Attribute to map to | Attribute to map from |
---|---|
Surname | familyName |
Given name | givenName |
Display name | displayName |
Gender | gender |
emailAddress | |
Phone number | phoneNumber |
Street address | streetAddress |
City | city |
State or province | region |
Postal code | postalCode |
Country | country |
Date of birth | birthday |
Configure automatic sign-up feature in Onegini IdP¶
After successful defining the new Google IdP configuration in the Onegini IdP's admin console please select the Config
menu option and navigate to the
Feature management
tab and check Just-in-time external IdP sign-up enabled
in Processes
section. The Bind multiple social accounts with one CIM-account
feature instructs
the Onegini IdP to automatically couple the Google account with an account which already exists within the Onegini IdP. Please note that the coupling will only
take place in case a person with the email address returned by the Google's services will be already registered within the Onegini IdP.
Testing¶
To test automatic sign-up with Google please try login to Onegini IdP by selecting Google identity provider available on login page. If everything was configured correctly the new person account should be created automatically without showing the sign-up form, instead you should be redirected straight to the personal dashboard page.