This documentation is for WSO2 Identity Server 5.3.0. View documentation for the latest release.
Configuring Google - Identity Server 5.3.0 - WSO2 Documentation
||
Skip to end of metadata
Go to start of metadata

Google can be used as a federated authenticator in the Identity Server. Do the following to configure the Identity Server to authenticate users using their Google user accounts. 

Before you begin

  1. Create a Google account and register an application on Google.

     Click here for the instructions.
    1. As the first step, go to Google API Console, navigate credential tab from the sidebarYou can configure OAuth web application in Google by selecting OAuth Client ID. You can find more details from here
    2. Select web application, give a name for the application (Eg:- SampleWebApplication).
    3. Enter the Authorized redirect URI as https://localhost:9443/commonauth (This is the endpoint in WSO2 Identity Server which accepts the response sent by Google).

  2. Sign in to the WSO2 Identity Server Management Console at https://<Server Host>:9443/carbon using your username and password.
  1. Navigate to the Identity Provider section under Main > Identity menu-item.
  2. Click Add.
  3. Provide values for the following fields under the Basic Information section:
    FieldDescriptionSample Value
    Identity Provider Name

    The Identity Provider Name must be unique as it is used as the primary identifier of the identity provider.

    FacebookIdP, Twitter
    Display Name

    The Display Name is used to identify the identity provider. If this is left blank, the Identity Provider Name is used. This is used in the login page when selecting the identity provider that you wish to use to log in to the service provider.

    Facebook, Twitter
    DescriptionThe Description is added in the list of identity providers to provide more information on what the identity provider is. This is particularly useful in situations where there are many identity providers configured and a description is required to differentiate and identify them.This is the identity provider configuration.
    Federation Hub Identity Provider

    Select the Federation Hub Identity Provider check-box to indicate if this points to an identity provider that acts as a federation hub. A federation hub is an identity provider that has multiple identity providers configured to it and can redirect users to the correct identity provider depending on their Home Realm identifier or their Identity Provider Name. When we have this check-box selected additional window will pop-up in the multi-option page in the first identity server to get the home realm identifier for the desired identity provider in the identity provider hub.

    Selected
    Home Realm Identifier

    The Home Realm Identifier value can be specified in each federated IDP and can send the Home Realm Identifier value as the “fidp” query parameter (e.g., fidp=googleIdp) in the authentication request by the service provider. The WSO2 Identity Server finds the IDP related to the “fidp” value and redirects the end user to the IDP directly rather than showing the SSO login page. By using this, you can avoid multi-option, in a multi-option scenario without redirecting to the multi-option page.

    FB, TW
    Identity Provider Public Certificate

    The Identity Provider Public Certificate is the public certificate belonging to the identity provider. Uploading this is necessary to authenticate the response from the identity provider. See Using Asymmetric Encryption in the WSO2 Product Administration Guide for more information on how public keys work and how to sign these keys by a certification authority.

    This can be any certificate. If the identity provider is another Identity Server, this can be a wso2.crt file.

     To create the Identity Provider Certificate click here

    Open your Command Line interface, traverse to the <IS_HOME>/repository/resources/security/ directory. Next, you must execute the following command.

    keytool -export -alias wso2carbon -file wso2.crt -keystore wso2carbon.jks -storepass wso2carbon

    Once this command is run, the wso2.crtfile is generated and can be found in the <IS_HOME>/repository/resources/security/ directory. Click Choose File and navigate to this location in order to obtain and upload this file.

    See Using Asymmetric Encryption in the WSO2 Product Administration Guide for more information.
    Alias

    The Alias is a value that has an equivalent value specified in the identity provider that we are configuring. This is required for authentication in some scenarios.

    http://localhost:9443/oauth2/token
  4. Expand the Google Configuration form and configure the Google authenticator as shown below. Make sure to add your Redirect URI as the Callback URL and Client id and Secret which is generated from above Google application. You can find the Client id and Secret from edit OAuth client.


  5. Fill in the following fields where relevant.

    FieldDescriptionSample value
    EnableSelecting this option enables Google to be used as an authenticator for users provisioned to the Identity Server.Selected
    DefaultSelecting the Default check box signifies that Google is the main/default form of authentication. This removes the selection made for any other Default checkboxes for other authenticators.Selected
    Client IdThis is the username from the Google application you created from google developer console.1421263438188909
    Client SecretThis is the password from the Google application you created from google developer console. Click the Show button to view the value you enter.12ffb4dfb2fed67a00846b42126991f8
    Callback UrlThis is the URL to which the browser should be redirected after the authentication is successful. It should have this format: https://(host-name):(port)/acs. Here ACS URL (Assertion Consumer URL) is the endpoint in WSO2 Identity Server which accepts the response sent by Google.https://localhost:9443/commonauth
    Additional Query ParametersThis is necessary if you are connecting to another Identity Server or application. Sometimes extra parameters are required by this IS or application so these can be specified here.scope=openid email profile
Related Topics
  • Identity Federation is part of the process of configuring an identity provider. For more information on how to configure an identity provider, see Configuring an Identity Provider.



  • No labels