SSO configuration example for Google OP with Airlock IAM as OIDC client

This configuration example illustrates how to use Google as OIDC Provider (OP) with Airlock IAM as an OIDC client.

  • Technologies used in this example are:
  • OIDC Discovery Flow Client configured for Google OP. This plugin uses the .well-known/openid-configuration endpoint to retrieve the details of the Google configuration.
  • Loginapp REST UI with Authentication Flows for authentication
  • Password page customization to present an "Authenticate with Google" button.
  • Loginapp REST UI SDK to customize a Google button on the login page

Configure Google as OP

  1. Follow the instructions on OpenID Connect
  2. Create a project in the Google API Console
    • Choose a project name (e.g. Airlock IAM Integration)
  3. Create a Consent Screen page
    • Choose an application name (e.g. Airlock IAM)
    • Enter authorized domains (e.g. example.com)
  4. Create credentials for an OAuth 2.0 client ID on the Credentials page
    • Choose a name (e.g. Airlock IAM Client)
    • Enter authorized redirect URIs (e.g. https://iam.example.com/auth-login/oauth2/v3/oidc-as/authorize)
  5. From the newly created credentials obtain OAuth 2.0 credential information
    • Client ID
    • Client secret
  6. Google is now configured as OP.
  7. For local tests: make sure the redirect URI field lists https://localhost:8443/auth-login/oauth2/v3/oidc-as/authorize

Configure Airlock IAM as OIDC client

  1. Go to:
    Loginapp >> OAuth 2.0/OIDC Clients
  2. Create an OIDC Discovery Flow Client plugin in AS Setting For Flow Clients
  3. Go to:
    Basic Settings
  4. Create an OAuth 2.0 Provider Identifier plugin in the Provider Identifier setting
  5. Configure Provider Identifier as google.
  6. Set Client ID and Client Secret to the values obtained from Google.
  7. The OIDC Discovery Flow Client is configured with Google credentials.
  1. Go to:
    Communication and Discovery
  2. Create an HTTP Client Config plugin in the HTTP Client setting
  3. Set the Discovery Endpoint URL to https://accounts.google.com/.well-known/openid-configuration
  4. The OIDC Discovery Flow Client can connect to Google.
  1. Go to:
    Authorization Request
  2. Add openid to the Scopes To Request setting list
  3. Optionally add additional scopes. (e.g. email)
  4. Configure and OAuth 2.0 REST UI Client Redirect URI plugin in the Client Redirect URI setting.
  5. In the OAuth 2.0 REST UI Client Redirect URI set the External Base URL (e.g. https://iam.example.com/auth-login/)
  6. The OIDC Discovery Flow Client will request scopes and supply the correct Client Redirect URI.
     
  1. Go to:
    ID Token
  2. Add an OIDC RS256 Signature Validator plugin in the Signature Validator setting
    • Configure the OIDC RS256 Signature Validator with
    • Remote Key Location as https://www.googleapis.com/oauth2/v3/certs
    • HTTP Client reuse the HTTP Client Config plugin from Communication and Discovery
  3. Set Custom Issuer Claim to https://accounts.google.com
  4. The OIDC Discovery Flow Client will validate and interpret the ID Token returned by Google.
  1. Go to:
    Resource Mappings
  2. Create an OAuth 2.0 Remote Username Resource plugin in the ID Token Resources setting list.
    • Create an OAuth 2.0 Simple Resource Selector plugin in the Resource Selector and use sub as Key.
    • Optionally create additional OAuth 2.0 Remote Context Data Resource plugins or OAuth 2.0 Remote User Roles Resource plugins.
  3. The OIDC Discovery Flow Client will map the claims from the ID Token into the local session.

Authentication Flows

  1. Go to:
    Loginapp >> Authentication Flows
  2. Create a Target Application plugin in the Applications setting list.
  3. Create an Application ID plugin in the Application ID setting.
  4. Create an Authentication Flow plugin in the Authentication Flow setting.
  5. Create a Generic ID Propagator plugin in the Identity Propagation setting list.
  6. The target application is ready to be configured with an ID, an authentication flow, and an identity propagator.
  1. Go to:
    Application ID
  2. Choose an ID (e.g. google-app). This ID will be used for translations on the login page.
  3. The Target Application is configured with an ID.
  1. Go to:
    Authentication Flow
  2. Create an OAuth 2.0 SSO Step in the Steps setting list.
  3. Configure the OAuth 2.0 SSO Step with
    • Choose the OAuth 2.0 Provider Identifier from the previous configuration as the Provider Identifier (e.g. OAuth 2.0 Provider Identifier - google)
  4. The Authentication Flow is configured.
  1. Go to:
    Generic ID Propagator
  2. Configure a Ticket String Provider plugin in the Ticket String Provider setting and
    • Configure a User Identity Map plugin in the Value Providers setting list.
    • Configure a Ticket Key Value plugin in the Key-Value Pairs setting with the Ticket Key set to username and the Value Selector set to user-id.
    • Configure a JWT Ticket Encoder in the Ticket Encoder Setting with Username Ticket Key set to username.
  3. Configure a URL String Encoder in the Encoders setting list.
  4. Configure a Cookie Ticket Adder in the Ticket Adder setting and set the Cookie Name (e.g. AUTH_TICKET).
  5. The Identity Propagator propagates the username to the backend application in a cookie.

Loginapp REST UI

  1. Go to:
    Loginapp >> UI Settings >> Authentication UIs
  2. Create an Authentication & Authorization UI in the Flow UIs setting list.
  3. Go to:
    Authentication & Authorization UI
  4. Configure the Target Application ID by selecting the previously configured Application ID plugin.
  5. Create a Target URI Resolver in the Target URI Resolver setting with
    • Set the Default Value (e.g. /client-login/ui/app/protected/portal)
    • Configure the Allowed URIs setting list.
  6. The Loginapp REST UI is configured for the Target Application.

Login Page

This configuration is optional. It is required, if both local authentication and authentication through the Google OP should be possible. With this configuration, an additional button will be present on the regular password authentication page.

  1. Go To:
    Loginapp >> UI Settings >> Authentication UIs >> <Default Authentication Flow>
  2. Create a Password Authentication UI plugin in the Customized Step UIs settings list.
  3. Create a Step ID plugin in the Step ID setting and configure the ID (e.g. pwcheck)
  4. Create an Application ID plugin in the Additional Authentication Buttons setting list and set the Application ID as the ID (e.g. google-app)
  5. The default login page will now show a button to start the authentication via the Google OP.

Customization with Loginapp REST UI SDK

  1. Go to:
    <SDK customization directory>/src/assets/custom/i18n
  2. Add the required translations for all required languages (e.g. authentication.password.actions.target.google-app = Authenticate with Google)
  3. Build and deploy the new version of the customization zip archive.
  4. The login page of the default authentication flow will now show a button with the label Authenticate with Google