Google Auth Module
This authentication module lets users log in to Hub with the email addresses and passwords they manage in Google.
When you enable Google authentication in Hub:
Your users log in to Hub with the credentials they use for their Google accounts.
Your Hub users have fewer accounts and passwords to remember.
New users with Google accounts can create their own accounts in Hub.
When a user created manually in Hub logs on with Google for the first time, Hub ties the Google user to the existing Hub user if a matching email address or username is found. If no match is found, a new account for the Google user is created in Hub.
To allow users with existing Google accounts to log in to Hub, enable the Google authentication module.
This procedure takes place in three steps:
Generate a Redirect URI in Hub. When you create an authentication module for Google, Hub generates a redirect URI to use with this service. This URI identifies the source of each login request to Google.
Generate a Client ID and Secret in the Google Cloud Platform. Every login request sent from Hub to Google includes a unique identifier. The ID and secret you store in the authentication module tell Google that each login request is authorized.
Enable the Auth Module in Hub. When you have generated the information Hub uses to authenticate with Google, copy the values into Hub and enable the module.
In this procedure, you generate values in both Hub and the Google Cloud Platform.
The heading for each step tells you which application menu to follow.
To get started, open Hub and create an authentication module for Google accounts. When you create the authentication module, Hub generates a redirect URI to use with the authorization service.
Requires permissions: Low-level Admin Write
Requires permissions: Low-level Admin Write
In the Access Management section of the Administration menu, select Auth Modules.
Click the New module button.
In the Select an identity provider dialog, select Google.
The Auth Modules page displays the settings for a new Google authentication module.
Hub generates a redirect URI for you to use in Google.
Copy the redirect URI as instructed on the page.
Click the link to access the Google Cloud Platform.
This setup requires that you copy values from the Google Cloud Platform into input fields on this page in Hub.
To simplify setup, open this link in a new browser tab or window.
Make sure to update the Redirect URI in the authorization service when you change the base URL of your Hub instance. For example, after changing proxy settings.
Open the Google Cloud Platform and log in with your Google account.
Select or create a project.
OAuth ConsentBefore you can generate an OAuth client ID, you are required to configure the OAuth consent screen and app registration for your project. To configure these settings, select APIs & Services > OAuth consent screen from the left navigation menu.
When done, continue from the next step.
From the Navigation menu, select APIs & Services > Credentials.
From the Create credentials menu, select OAuth client ID.
The Create OAuth client ID page opens.
For the Application type, select Web application.
Additional input fields for defining the client ID are shown.
In the Authorized redirect URIs field, paste the redirect URI you copied from the Auth Module page in Hub.
Click the Create button.
Google generates the credentials you need to set up the Hub module and displays them in a pop-up window.
Copy the client ID from Google and paste it into the Client ID input field in Hub.
Copy the client secret from Google and paste it into the Client Secret input field in Hub.
Configure the optional settings for the authentication module. For more information, see the Optional Settings section.
Click the Enable module button.
The Google authentication module is enabled.
The icon stored in the Button Image setting is added to the login dialog window. Users can click this icon to authenticate with their Google accounts.
Field | Description |
Type | Displays the name of the application or service that is enabled for third-party authentication in Hub. |
Name | Stores the name of the authentication module. Use this setting to distinguish this module from other authentication modules in the Auth Modules list. The name is also shown in the tooltip for the third-party service icon on the login form. |
Button Image | Displays the image used for the button that a user clicks to log in to Hub with a Google account. |
Authorized redirect URI | Displays the redirect URI used to register the connection to Hub in Google. |
Server URL | Displays the URL of the server to which Hub sends a login request when a user logs in with a Google account. The information displayed below this field helps you configure the authentication module. |
Client ID | Stores the identifier Google uses to validate a login request. You generate this value in the Google Cloud Platform when you configure the authorization settings for a web application and enter an authorized redirect URI. |
Client Secret | Stores the secret or password used to validate the client ID. You generate this value in the Google Cloud Platform together with the client ID. |
The following options are located at the bottom of the page. Use these settings to manage Hub account creation and group membership and to reduce the loss of processing resources consumed by idle connections.
Option | Description |
User creation | Enables creation of Hub accounts for unregistered users who log in with an account that is stored in the connected authorization service. Hub uses the email address to determine whether the user has an existing account. |
Restricted domains and emails | Restricts the creation of user accounts to users with email addresses from the specified domains or specific email addresses. To specify multiple domains or email addresses, enter each value on a new line. Hub recognizes domains with or without the This option is only available when you enable the User creation option. If a user attempts to log in with a Google account that does not match the specified domain, then:
Auto-join groups | Adds users to a group when they log in with an account that is stored in the connected authorization service. You can select one or more groups. New users that auto-join a group inherit all the permissions assigned to this group. We recommend that you add users to at least one group. Otherwise, a new user is only granted the permissions that are currently assigned to the All Users group. |
Connection timeout | Sets the period of time to wait to establish a connection to the authorization service. The default setting is 5000 milliseconds (5 seconds). |
Read timeout | Sets the period of time to wait to read and retrieve user profile data from the authorization service. The default setting is 5000 milliseconds (5 seconds). |
Audit | Links to the Audit Events page in Hub. There, you can view a list of changes that were applied to this authentication module. |
The following actions are available in the header:
Action | Description |
Set default | Designates the authentication module as the default for your installation. Only one authentication module can be set as the default at any time. If another module is currently set as the default, that state is cleared. This option is only shown when the current authentication module is not designated as the default. |
Clear default | Removes the authentication module as the default for your installation. If none of the available authentication modules are designated as the default, unauthenticated users are always directed to the Hub login page. This option is only shown when the current authentication module is designated as the default. |
Disable module | Disables the authentication module. This option is only shown when the authentication module is currently enabled. |
Enable module | Enables the authentication module. This option is only shown when the authentication module is currently disabled. |
Delete module | Removes the authentication module from Hub. Use only when you have configured additional authentication modules that let users log into your Hub installation. |