IDM

Google social identity provider

Social authentication is deprecated and will be removed in a future release of IDM. For more information, see Deprecation.

Set up Google

To set up Google as a social identity provider, navigate to the Google API Manager. You’ll need a Google account. If you have Gmail, you already have a Google account 😉. While you could use a personal Google account, it is best to use an organizational account to avoid problems if specific individuals leave your organization. When you set up a Google social identity provider, you’ll need to perform the following tasks:

Plan ahead. It may take some time before the Google+ API that you configure for IDM is ready for use.

  • In the Google API Manager, select and enable the Google+ API. It is one of the Google "social" APIs.

  • Create a project for IDM.

  • Create OAuth client ID credentials. You’ll need to configure an OAuth consent screen with at least a product name and email address.

  • When you set up a Web application for the client ID, you’ll need to set up a web client with:

    • Authorized JavaScript origins

      The origin URL for IDM, typically a URL such as https://openidm.example.com:8443

    • Authorized redirect URIs

      The redirect URI after users are authenticated, typically, https://openidm.example.com:8443/

  • In the list of credentials, you’ll see a unique Client ID and Client secret. You’ll need this information when you configure the Google social identity provider, as described in Configure a Google Social Identity Provider.

For Google’s procedure, see the Google Identity Platform documentation on Setting Up OAuth 2.0.

Configure a Google social identity provider

To configure a Google social identity provider using the admin UI:

  1. From the navigation bar, click Configure > Social ID Providers.

  2. On the Social Identity Providers page, enable Google.

  3. In the Google Provider window, enter applicable values in the fields, and click Save. For a complete list of fields, see Google Social Identity Provider Configuration Details.

After you save the social identity provider configuration, IDM generates a conf/identityProvider-google.json file:

{
    "enabled" : true,
    "authorizationEndpoint" : "https://accounts.google.com/o/oauth2/v2/auth",
    "tokenEndpoint" : "https://www.googleapis.com/oauth2/v4/token",
    "userInfoEndpoint" : "https://www.googleapis.com/oauth2/v3/userinfo",
    "wellKnownEndpoint" : "https://accounts.google.com/.well-known/openid-configuration",
    "issuer": "https://accounts.google.com",
    "clientId" : "<someUUID>",
    "clientSecret" : {encrypted-client-secret},
...

The file includes schema information, which includes properties for each social identity account, as collected by IDM, as well as the order in which it appears in the admin UI. When you’ve registered a user with a Google social identity, you can verify this by selecting Manage > Google, and then selecting a user.

Another part of the file includes a propertyMap, which maps user information entries between the source (social identity provider) and the target (IDM).

If you need more information about the properties in this file, refer to the following appendix: Google Social Identity Provider Configuration Details.

Configure user registration to link to Google

Once you’ve configured the Google social identity provider, you can activate it through User Registration. To do so in the admin UI, select Configure > User Registration, and under the Social tab, enable the option associated with Social Registration. For more information on user self-service features, see Self-service end user UI.

When you enable social registration, you’re allowing users to register on IDM through all active social identity providers.

Google social identity provider configuration details

You can set up the Google social identity provider through the admin UI or in a conf/identityProvider-google.json file. IDM generates the identityProvider-google.json file when you configure and enable this social identity provider in the admin UI. Alternatively, you can create the file manually.

The following table includes the information shown in the admin UI Google Provider pop-up window, along with associated information in the identityProvider-google.json file:

Google social identity provider configuration properties
Property (UI) Property (JSON file) Description

Client ID

clientId

The client identifier for your Google Identity Platform project.

Client Secret

clientSecret

Used with the Client ID to access the configured Google API.

Scope

scope

An array of strings that allows access to user data; see Google’s documentation on Authorization Scopes.

Authorization Endpoint

authorizationEndpoint

As per RFC 6749, "used to interact with the resource owner and obtain an authorization grant". For Google’s implementation, see Forming the URL.

Token Endpoint

tokenEndpoint

Endpoint that receives a one-time authorization grant, and returns an access and ID token.

User Info Endpoint

userInfoEndpoint

Endpoint that receives an access token, and returns information about the user.

Well-Known Endpoint

wellKnownEndpoint

Access URL for Google’s Discovery Document.

Issuer

issuer

The token issuer. Typically, https://accounts.google.com.

Not in the admin UI

name

Name of the social identity provider.

Not in the admin UI

type

Authentication module.

Not in the admin UI

authenticationId

Authentication identifier, as returned from the User Info Endpoint for each social identity provider.

Not in the admin UI

propertyMap

Mapping between Google and IDM.

For information on social identity provider buttons and badges, see Social identity provider button and badge properties.

Copyright © 2010-2022 ForgeRock, all rights reserved.