This topic provides instructions on how to log into Google using your WSO2 Identity Server credentials. In this tutorial, Google acts as the service provider and WSO2 Identity Server acts as the identity provider.
Let's get started!
Before you begin!
You need to have a Google domain. Click here for more information on creating the domain.
- Go to your domain's admin console via
Can't see the Security section? Click the MORE CONTROLS bar at the bottom and you can see the Security section.
Click Set up single sign-on (SSO) and select Setup SSO with third party identity provider .
Enter the following URLs to your third-party Identity Provider (IdP).
Sign-in page URL:
Sign-out page URL:
Upload the Identity Server certificate:
The certificate file must contain the public key for Google to verify the sign-in requests.
- Navigate to the
<IS_HOME>/repository/resources/securitydirectory via the terminal.
Run the command given below to import the public certificate from the keystore to a
mycert.pemfile is created in the same directory mentioned in step a above. If you want to change the name of the file that is being generated, enter a preferred name instead of
mycertin the above command.
- Click Replace certificate and upload the
.pemfile you just generated.
- Navigate to the
Configuring WSO2 IS to use the email as the username
When you log into Google, you use an email address. Therefore, to integrate this with the Identity Server, you need to configure WSO2 IS to enable users to log in using their email addresses. In order to do that, follow the steps given below.
- here. Download the WSO2 Identity Server from
- When you log in to Google, you normally use an email address. So, to integrate this with the Identity Server, you need to configure WSO2 IS to enable users to log in using their email addresses. In order to do that, follow the steps found in the Using Email Address as the Username topic.
Restart the Identity Server. Since the username and password of the admin user were updated, start the WSO2 IS server using the -Dsetup parameter as shown in the command below.
Now that you are done with configuring WSO2 Identity Server to use the email address, configure the service provider.
Configuring the Service Provider
- Enter your username and password to log on to the Management Console.
- Navigate to the Main menu and click Add under Service Providers.
- Fill in the Service Provider Name and provide a brief Description of the service provider. Only Service Provider Name is a required field and you can use Google-SP as the name for this example.
- Click Register.
- Expand the Inbound Authentication Configuration and the SAML2 Web SSO Configuration, and click Configure.
In the form that appears, fill out the following configuration details required for single sign-on. For more details about attributes in the following configuration refer SAML2 Web SSO Configuration.
See the following table for details.
Field Value Description Issuer
This is the
<saml:Issuer>element that contains the unique identifier of the service provider.
Assertion Consumer URL
This is the URL to which the browser should be redirected to after the authentication is successful. This is the Assertion Consumer Service (ACS) URL of the service provider. The identity provider redirects the SAML2 response to this ACS URL. However, if the SAML2 request is signed and SAML2 request contains the ACS URL, the Identity Server will honor the ACS URL of the SAML2 request. NameID Format The default value can be used here. This defines the name identifier formats supported by the identity provider. The service provider and identity provider usually communicate with each other regarding a specific subject. That subject should be identified through a Name-Identifier (NameID), which should be in some format so that It is easy for the other party to identify it based on the format. Name identifiers are used to provide information regarding a user. Certificate Alias wso2carbon Select the Certificate Alias from the drop-down. This is used to validate the signature of SAML2 requests and is used to generate encryption.Basically, the service provider’s certificate must be selected here. Note that this can also be the Identity Server tenant's public certificate in a scenario where you are doing a tenant-specific configuration. Enable Response Signing Selected
Select Enable Response Signing to sign the SAML2 Responses returned after the authentication process.
Enable Attribute Profile Selected Select Enable Attribute Profile to enable this and add a claim by entering the claim link and clicking the Add Claim button. The Identity Server provides support for a basic attribute profile where the identity provider can include the user’s attributes in the SAML Assertions as part of the attribute statement. Include Attributes in the Response Always Selected Once you select the checkbox to Include Attributes in the Response Always , the identity provider always includes the attribute values related to the selected claims in the SAML attribute statement.
Click Register to save your configurations.
Try it out
Now, you have successfully configured Google and WSO2 Identity Server. Let's look at how you can try it out:
The admin users of your Google domain do not get redirected to WSO2 IS. Therefore, to try out the tutorial you need to use a user who is not an admin in your Google account.
- Create a user in WSO2 Identity Server. Make sure that the same user exists in your Google domain.
Example: In this example,
email@example.com in the Google domain that is used for this tutorial. Therefore, we create the same user in WSO2 Identity Server.
- On the Main tab in the Management Console, click Add under Users and Roles.
- Click Users. This link is only visible to users with the Admin role.
Click Add New User. The following screen appears.
- Click Next >.
- Optionally, select the role(s) you want this user to have. If you have many roles in your system, you can search for them by name.
- Click Finish.
- Navigate to
https://google.com/a/<ENTER_YOUR_DOMAIN>/acsand enter the email address (username) of the user you created.
You are navigated to WSO2 Identity Server's sign in screen.
Enter the username and password of the user you created.
You are navigated to the G-Suite of that domain and you can select the application you need to use.
If you want to only access Gmail, navigate to mail.google.com, enter the username of the user, enter the username and password of the user on the WSO2 Identity Server sign in screen, and you are navigated to the user's mail account.