Logging in to Google using the Identity Server

This topic provides instructions on how to log into Google using your WSO2 Identity Server credentials. In this tutorial, Google acts as the service provider and WSO2 Identity Server acts as the identity provider.

Let's get started!

1. Go to your domain's admin console via https://admin.google.com.

2. Click Security.

   Open

   

3. Click Set up single sign-on (SSO) and select  Setup SSO with third party identity provider .

4. Enter the following URLs to your third-party Identity Provider (IdP).

   • Sign-in page URL: https://<SERVER_HOSTNAME>:9443/samlsso

   • Sign-out page URL: https://<SERVER_HOSTNAME>:9443/samlsso

   Open

   

5. Upload the Identity Server certificate:
   This certificate file must contain the public key or Google to verify the sign-in requests.

   1. Navigate to the <IS_HOME>/repository/resources/security directory via the terminal.

   2. Run the command given below to import the public certificate from the keystore to a .pem file

      keytool -export -alias wso2carbon -keystore wso2carbon.jks -storepass wso2carbon -file mycert.pem

   3. Click Replace certificate and upload the .pem file you just generated.

When you log into Google, you use an email address. Therefore, to integrate this with the Identity Server, you need to configure WSO2 IS to enable users to log in using their email addresses. In order to do that, follow the steps given below.

1. Download the WSO2 Identity Server from here.

2. When you log in to Google, you normally use an email address. So, to integrate this with the Identity Server, you need to configure WSO2 IS to enable users to log in using their email addresses. In order to do that, follow the steps found in the Using Email Address as the Username topic.

3. Restart the Identity Server. Since the username and password of the admin user were updated, start the WSO2 IS server using the -Dsetup parameter as shown in the command below.

   sh wso2server.sh -Dsetup

Now that you are done with configuring WSO2 Identity Server to use the email address, configure the service provider.

1. Enter your username and password to log on to the Management Console. 

2. Navigate to the Main menu and click Add under Service Providers.

3. Fill in the Service Provider Name and provide a brief Description of the service provider. Only Service Provider Name is a required field and you can use Google-SP as the name for this example.

4. Click Register.

5. Expand the Inbound Authentication Configuration and the SAML2 Web SSO Configuration, and click Configure.

6. In the form that appears, fill out the following configuration details required for single sign-on. For more details about attributes in the following configuration refer SAML2 Web SSO Configuration.
   See the following table for details.

7. Click Register to save your configurations.

Now, you have successfully configured Google and WSO2 Identity Server. Let's look at how you can try it out:

1. Create a user in WSO2 Identity Server. Make sure that the same user exists in your Google domain.
   Example: In this example, alex@wso2support.com is in the Google domain that is used for this tutorial. Therefore, we create the same user in WSO2 Identity Server.
   
   

   1. On the Main tab in the Management Console, click Add under Users and Roles.

   2. Click Users. This link is only visible to users with the Admin role. 

   3. Click Add New User. The following screen appears.
      

   4. Click Next >.

   5. Optionally, select the role(s) you want this user to have. If you have many roles in your system, you can search for them by name.

   6. Click Finish.

2. Navigate to http://google.com/a/<domain>/acs and enter the email address (username) of the user you created.
   You are navigated to WSO2 Identity Server's sign in screen.

3. Enter the username and password of the user you created.
   You are navigated to the G-Suite of that domain and you can select the application you need to use.