IAM configuration
17.4.5.4.2.2. Configuration of Airlock IAM
  • Open the Config Editor
    • Make sure that the demo configuration of Airlock IAM is loaded and active
    • Go to Loginapp >> OAuth 2.0/OIDC Client (create if missing).
    • Add new "OpenID Connect Client Settings" plugin to the client settings list
      • Set the "Provider Identifier" property to "google"
      • Copy Credentials ("Client ID" and "Client Secret") from the Google API Console into the respective fields
      • Set the "External Medusa URL" property to "<URL of Loginapp>" (e.g. https://iam.example.com/auth-login)
      • Set "Authorization Endpoint URL" property to "https://accounts.google.com/o/oauth2/auth"
      • Add a "openid" and "email" to the "Scope To Request" property list
      • Set "Token Endpoint URL" property to "https://accounts.google.com/o/oauth2/token"
      • Add a new "Http Client Config" to the "Http Client" property
      • Add a new "OpenID Connect RS256 Signature Validator" as "Signature Validator"
        • Set "Remote Key Location" property to "https://www.googleapis.com/oauth2/v3/certs"
        • Set "Http Client" to the previously added plugin
      • Set "Custom Issuer Claim" property to "accounts.google.com"
      • Add a new "OAuth 2.0 Remote Username Resource" plugin to the "ID Token Resources" property list
        • Add a new "OAuth 2.0 Simple Resource Selector " plugin as the "Resource Selector" property
          • Set the "Key" property to "sub" (or "email")
      • Add a new "OAuth 2.0 Remote Context Data Resource" plugin to the "ID Token Resources" property list
        • Set "Local Context Data Key" property to "email"
        • Add a new "OAuth 2.0 Simple Resource Selector " plugin as the "Resource Selector" property
          • Set the "Key" property to "email"
      • Add a "Lookup and Accept Authenticator" as "Additional Authenticator"
  • Set the Login Page Type property to OAuth 2.0 SSO (in Loginapp >> Authentication Settings)
  • Activate Configuration

Instead of the "OpenID Connect Client Settings" the "OpenID Connect Discovery Client Settings" plugin can be used. The discovery plugin will fetch some of the configuration and therefore fewer properties have to be configured.