Use Google as external Identity Provider

Follow

Now we can configure some external IdPs. To configure these in TrustBuilder, an OAuth AppID and secret are needed. This requires you have an account with the IdP yourself to create the AppID and secret which can then be used by TrustBuilder.

In this section we will configure a Google IdP.

Create Google OAuth credential

More information about creating OAuth credentials can be found here:

https://developers.google.com/identity/protocols/OAuth2

Go to the Google API Console:

 https://console.developers.google.com/.

  • On the Google API Console click the Select a Project button.
  • In the project dialog click on the NEW PROJECT button.
  • Fill in the Name of your project and click Create.
  • Once the project is created, click on Credentials under APIs and Services.
  • Then click on Create Credentials.
  • Select OAuth client ID
  • Click on the Configure consent screen button.
  • Fill in TrustBuilder  in the  Product name shown to users field and click Save.
  • Then select Web application as Application type.
  • Fill in TrustBuilder in the Name field and click create.
  • You will then be prompted with the client ID and client secret. These are needed in the TrustBuilder configuration of the Google IdP.

When you have created the Google IdP as detailed in the next section, locate the code of the IdP (you can find the code in the URL of the portal when editing a saved IdP), append the code to URL https://your-tb-ip-address.xip.io/idhub/oauth2/callback/, and register this complete URL in the Authorized redirect URIs field. Note the use of the xip.io 'domain'. Google does not allow to enter the IP address of the  appliance setup as described here. Hence when testing TrustBuilder, the IP address should be used with the domain suffix.

Create OAuth IdP in TrustBuilder

Go to the IDHub Portal.

https://your-tb-ip-address/idhub/admin

Login as Administrator.

In the Menu Under Administration click on Identity Providers.

  • Click on the Add New IDP button.  Fill in these parameters (to enter values for the scopes click on the + button and enter a value):
Parameter Value
Display Name Google
URL https://accounts.google.com
Description Google as IdP
Type OAUth 2.0
Subject Email
Well Known
App Client ID yourappid
Authorization Endpoint https://accounts.google.com/o/oauth2/v2/auth
Token Endpoint https://www.googleapis.com/oauth2/v4/token
Token Endpoint Method Client Secret Post
Client Secret yoursecret
User Info Endpoint https://www.googleapis.com/oauth2/v3/userinfo
Provisioning URI
Attribute Name for subject email
Scopes openid

email
Client Mode OAUTH
Flow Type AUTHORIZATION_CODE


Do not add certificates.

Note: The URL's used by Google may change over time. The latest  information can be found in Google's discovery document for openID  connect which can be found here:

https://accounts.google.com/.well-known/openid-configuration.

  • Click the Save & Close button.
  • Click on the  Edit identity button (human icon) of the Google IDP.
  • Under Subject Configuration select common>Email.
  • Select Save & Close.

Create Authentication Method

In the Menu under Configuration select Authentication.

  • Under Authentication Methods click the Add New Method button
  • Select Google from the Identity Providers list.
  • Fill in the following parameters:
Parameter Value
Display Name Google
SAML Authentication Context urn:tb:ac:classes:Google
OpenID Authentication Context urn:tb:ac:classes:Google


  • Click Save & Close.
  • Then under Authentication Schemes on the Custom Authentication Scheme line click the Edit button.
  • In the Authentication Methods list click the Add to Scheme button under the Google Authentication Method.
  • Select Save & Close.

When you now try to access the backend SP (don't forget xip.io) you should be prompted with two authentication methods (Username/Password & Google). Select Google. Make sure the mail-address of the Google user matches the mail-address of a TrustBuilder user. Also make sure to provision the Google IDP to the user. This allows TrustBuilder to retrieve all the attributes of the user from the database.

https://your-tb-ip-address.xip.io/backend/

Have more questions? Submit a request

Comments