Google SSO

4WS.Platform CE/EE are able to make use of Google+ SSO. User flow The Google SSO is provided through the G+ application platform, currently suggested as preferred way by Google. Two steps are involved:

• authentication

• single sign on process

If the user is not logged in with a Google account, the 4WS.Platform login page shows (if enabled) the G+ login button.

Pressing the red buttong, a pop-up shows asking for Google credentials:

Once the correct credential are specified, pressing the "Sign in" button, a form appears asking the user for permission to access some profile data. To proceed, accept and give permissions (this option will be stored in the user’s account profile for future logins). After this step, Google services notify 4WS.Platform that the authentication process is passed. Now 4WS.Platform verifies if the user is present in the internal directory and loads all the associated permissions, as in the built-in login process. If the user is already logged in Google (for example in GMail), the Google login process is skipped, and the user is redirected to the 4ws.Platform menù or application with no additional steps. The user can log out from 4WS.Platform without logging out from the Google account. On the next login attempt, the credentials are requested again. Configuration To enable the Google SSO, in the web.xml enable the portal mode setting the following init param:

<init-param>
  <param-name>portalLogin</param-name>
  <param-value>true</param-value>
</init-param>

This configuration is no more required: the Google SSO login works also in non-portal mode. Then, the following parameters must be specified:

• AUTH_BOXES must contain the value AUTH_BOX_GOOGLE

• SSO_MANAGER_CLASS must be equal to org.warp4ws.common.web.SSOGoogleServer to specify we want to use Google SSO.

Next step is to create a Google API Project (or use the same project if 4WS.Platform is installed on Google Cloud Platform), and a "Client ID for Web Applications", under the "Credential" section. You must specify the exact URLs for origin and callback, in the form of

<YOUR_APP_URL>, for example http://platform.mydomain.com, for origin <YOUR_APP_URL>/oauth2callback, for callback

Having the generated client secret and client id, you must specify this values in 4WS.Platform:

• AUTH_GOOGLE_CLIENT_ID: Google client Id, like NNNNNNNNNN.apps.googleusercontent.com

• AUTH_GOOGLE_CLIENT_SECRET: the secret

• AUTH_GOOGLE_USER_FORM: (opt) this parameter specifies how to extraxt the 4ws.Platform user id from the Google mail of the user. For example {u}@mydomain.com (in this case the user id in 4WS.Platform must be equal to the part of the Google email before the domain), or simply {u} (in this case the user id in 4WS.Platform must be equal to the full Google email), which is the default value.

• AUTH_GOOGLE_USER_SCOPES : (opt) blank space separated list of scopes that the application needs to ask to the user to run correctly. See the complete list at https://developers.google.com/identity/protocols/googlescopes. This enables the client side authorization process that lets the application manage user’s data, not the Google Apps Domain.

Once the parameters are correctly specified and if the user name is in the 4WS.Platform internal DB, the SSO will work.