Authenticate users using Google

Modified on Mon, 29 Mar, 2021 at 11:55 AM

Introduction


You can use Google to provide identity and access management to secure supported applications like Omniscope.


Google supports single-sign on, which allows you to avoid having to configure separate login credentials for users inside each application. Instead you can redirect to Google to provide user authentication and identification.


This is not intended to be an in-depth discussion of authentication. Instead it provides a step-by-step guide to manage user authentication using OpenID Connect within Omniscope.


Before deploying any access management tool on your production server you should ensure you are familiar with the technologies involved, and have studied the providers documentation carefully.


Google Setup


Prerequisites


If you don't have one already, create a Google account.


Configure your app


Open the Google API Console by navigating to https://console.developers.google.com/.


Once inside the console navigate to: APIs and Services > OAuth consent screen.


If you don't have one already, you should create a new Application. If you already have an application click Edit and step through the settings to ensure your application is configured to use OpenID Connect.


Give your application a name and enter a user support email.  


 

Click SAVE AND CONTINUE.


Next we need to configure the application scopes. Scopes are used to specify the permissions that you request users to authorise for your application.



Ensure the following scopes are selected: 


  • openid
  • ../auth/userinfo.profile
  • ../auth/userinfo.email


If any of these scopes are missing click ADD OR REMOVE SCOPES. When you're finished, click SAVE AND CONTINUE.


Review and edit the optional info if required.



Click SAVE AND CONTINUE.


The Summary screen will give you a chance to review all your application information. Ensure the settings you have made are correct.



Click SAVE AND CONTINUE to finish setup.  

Configure credentials


In the API Console, navigate to APIs & Services > Credentials.

Click CREATE CREDENTIALS > OAuth client ID.

Select Web application in the Application type dropdown.

Enter a valid name.

Add an Authorised redirect URI: http://localhost/oidc-cb.

In case you intend to run Omniscope server on a port different from port 80 used in this example you need to use the same port number here, e.g. use http://localhost:8181/oidc-cb for port 8181.



Once you click create you should now see a popup window with your Client ID and Client Secret. Make a note of these, as you'll need them later on.



Omniscope setup

Prerequisites

We will be setting up Omniscope to authenticate users using Google/OpenID connect.


Make sure Omniscope is installed on your local computer.


Make sure that you have the right HTTP port configured. 

It must be the same port you used for http://localhost/oidc-cb url above.



Please note that you are always logged in as an admin/root user when you open locally installed Omniscope server in the browser by http://127.0.0.1:24679/ url or open Omniscope window from the system tray icon.


Use http://localhost (with the right port number configured above if it is different) if you need to log in as a different user.

 


Setup the Google Provider


Start Omniscope. Click on the admin user button in the top-right corner and click Edit permissions.



Inside the Edit permissions dialog:


Scroll down to the OpenID Connect section and tick Set configuration for OpenID connect.

Click Add Provider. In the dropdown select Google.


You should see the Google provider has now been added, but is not yet configured.



Select Google to open the Google configuration dialog.


Now enter the Client ID and Client secret you made a note of earlier. 


For more details regarding other options in the dialog see here.


Click Test Connection to ensure Google has been successfully configured. You should see a popup informing you that validation was successful.



Click Back then Save.


Create a group


Create a Group


We now need to create a group of users that we allow access to Omniscope. These users will be authenticated using Google.


Click on the admin user button in the top-right corner and select Edit permissions. In the Edit permissions dialog:


Scroll down to the Groups section and click Add Group.


Click on the Group name. In the Group permissions dialog:


Click Configure permissions and select the permissions for our users. In this example I am selecting Yes to all, but feel free to configure whichever permissions are required.

Click Add authentication mechanism and select OpenID Connect.



Now click OpenID Connect to configure our users. In the dialog:


Tick Restrict by email address.

Click the + button and add the email address of the user we want to provide access to. 



Click Back, Back then Save.



Configure anonymous permissions


You will also need to restrict access to your Omniscope server for users that are not logged in. 

You can do it by opening Configure Anonymous Permissions on Edit Permissions dialog.

If you want to restrict any anonymous access to your files then click No To All then close the drop-down and click Save.




Testing authentication


We have now configured Google as our OpenID authentication provider in Omniscope. The next step is to test and verify that the authentication process works as expected.


Before we can do this we must ensure that Omniscope is running as an external web server:


Open the admin page and click Network.

Tick Run external web server


Click Save Changes, then shutdown and restart Omniscoipe.


Now open a new Browser and navigate to the external webserver address (if you have set this up locally use http://localhost). You should see a login button in the top-right.



Click Login then click Continue with Google



Omniscope will redirect your authentication request to the Google server. You should now see a Log In window.



Login with your Google account and click OK. You should now be redirected back to Omniscope.


You have now logged in and are free to use Omniscope based on the permissions configured earlier. If you click on the user button in the top right corner you should see the users email address.



Please let us know if you have any questions or feedback.

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article