Configuring Google as an Identity Provider

The EmpowerID SSO framework allows you to configure Google as an identity provider (IdP) for the EmpowerID Web application. EmpowerID integrates with Google using the OAuth protocol to allow your users to log in to EmpowerID using their Google accounts.

This topic demonstrates how to configure an Identity Provider (IDP) connection for Google and is divided into the following activities:

As a prerequisite to creating an IDP Connection for Google, you must have a Google Apps for Business or Education account established with Google and register the EmpowerID Web application for your organization in the APIs Console of your Google Apps account. This creates a set of values known by Google and the EmpowerID web application that allow the two to enter into a federated trust relationship. These values include the Client ID and the Client Secret (these values are generated by Google and are used with the Google SAML Attributes created by EmpowerID), as well as the Redirect URI (this value is entered by you to tell Google where to post the assertion of a user's identity to the EmpowerID Assertion Consumer Service).

For specific directions on registering EmpowerID as an application in Google, see the information provided by Google at https://console.developers.google.com.

When registering EmpowerID in Google, use the following URL as the Callback or Return URL, replacing "FQDN_OF_YOUR_EMPOWERID_SERVER" with the FQDN of the EmpowerID Web server in your environment.
https://FQDN_OF_YOUR_EMPOWERID_SERVER/EmpowerIDWebIdPForms/oauth/v2

Once the IDP Connection has been set up for Google, you can create a link similar to the one below to allow users to login to EmpowerID using Google. Be sure to replace "FQDN_OF_YOUR_EMPOWERID_SERVER" with the FQDN or fully resolvable DNS of the EmpowerID Web server in your environment and "Google" with the name of the SSO connection you create for Google in EmpowerID.

https://FQDN_OF_YOUR_EMPOWERID_SERVER/EmpowerIDWebIdPForms/Login/EmpowerIDWebSite/Google?returnUrl=%2FEmpowerIDWebIdPForms%2F

To add the Client ID and Client Secret to the Google OAuth Connection

  1. From the Navigation Sidebar of the EmpowerID Web interface, navigate to the OAuth Connections management page by expanding Admin > SSO Connections and clicking OAuth.
  2. From the OAuth Connections management page, click the OAuth Service Provider tab and then click the Search button to populate the OAuth Service Provider grid.
  3. From the OAuth Service Provider grid, click the Google link.
  4. From the OAuth Service Provider Details page that appears, click the Edit button for the specific Google connection you want to edit. By default, EmpowerID includes one connection. However, you can add as many connections for Google as your organization needs.
  5. In the OAuth Connection pane that appears, type the APP ID Google generated for your application in the Consumer Key field and the App Secret in the Consumer Secret field.
  6. Click Save to close the OAuth Connection pane.
  7. Next, add a login tile for Google to the desired IdP Domains. This allows your users to authenticate to EmpowerID with their Google credentials. If you have not set up an IdP Domain for your environment, you can do so by following the directions in the below drop-down.

    • To create an IdP Domain
      1. From the Navigation Sidebar, navigate to the SSO Components management page by expanding Admin > Applications and Directories > SSO Connections and clicking SSO Components.
      2. Click the IdP Domains tab and then click the Add IdP Domain (+) button.
      3. Type the fully qualified domain name in the Domain Name field and then click Save.

To add a login tile for Google

  1. From the Navigation Sidebar, navigate to the SSO Components management page by expanding Admin > Applications and Directories > SSO Connections and clicking SSO Components.
  2. From the IdP Domains tab of the SSO Components management page, click the IdP Domains link for the domain in which you want the login tile to appear.
  3. In the SAML Domain Name Details page that appears, click the Edit link. Edit links have the Pencil icon.
  4. In the IdP Domain Details page that appears, click the OAuth Identity Providers tab, check the box beside Google and then click Save.
  5. Now that the IDP Connection is configured, you can test it by following the procedure outlined below.

To test the Google IDP connection

  1. Log out of the EmpowerID Web application and navigate your browser to the domain name you configured for the IdP connection.
  2. Click the Login using Google button.
  3. This redirects your browser to the login for Google. Sign in as you normally would.

  4. This directs you to the Request for Permission page for Google. Click Allow to allow EmpowerID to access the information it needs to link the account to your EmpowerID Person.
  5. The Request for Permission page only appears the first time you log in to EmpowerID with the third-party account. Subsequent logins simply redirect your browser from the login page for the application to the EmpowerID Web application.

  6. Back in the EmpowerID Web application, click Yes to indicate that you have an EmpowerID login.
  7. Users without EmpowerID Persons can request EmpowerID accounts by clicking No. This initiates the Create User Account workflow, which displays a form in the browser to allow the user to fill in the appropriate information. If a user submits the request, EmpowerID routes that request to those individuals in your environment with the ability to approve or deny the request and returns the user to the EmpowerID web login.
  8. Type your EmpowerID Login or Email in the form and click Submit. The EmpowerID Person must have a valid email address as EmpowerID sends a one-time password to that address.
  9. Check your email for the one-time password.
  10. Back in the EmpowerID Web application, type the one-time password into the Password form and click Submit.
Upon successful submission of your one-time password, EmpowerID logs you in to the Web application. Your Google account is now linked to your EmpowerID Person.