SugarCRM SupportHelp ArticlesUser Login ManagementOIDC AuthenticationConfiguring SSO With Google Using OIDC

Configuring SSO With Google Using OIDC

Overview

SugarIdentity allows single sign-on authentication using Google and OpenID Connect (OIDC) so that Sugar can be integrated with a connected system using a single user ID and password. This article walks through configuring Google to allow external authentication using OpenID Connect for instances that use SugarIdentity. Please note that only some SugarCloud instances use SugarIdentity. Refer to the SugarIdentity Guide to determine if yours is configured to do so. Existing customers will be notified before their instances begin using the service.

For more information about external authentication methods, please refer to the following pages:

Prerequisites

  • Your SugarIdentity users should be users in your organization's Google account.  
  • You must have an active Google account in order to complete the steps in this article. 
  • You must be familiar with how to set up the SSO configurations that meet your organization's needs. 
  • You must be a Sugar administrator to configure the OIDC settings in SugarIdentity via the SugarCloud Settings console.

Steps to Complete

Creating OIDC Application in Google

Use the following steps to create the OIDC application in Google to obtain the Client ID and Client Secret credentials:

  1. Navigate to the Google Developers site in your web browser.
  2. Sign in using the Google account under which you would like to register the application.
  3. Create a new project using one of the following methods:
    • Click the Create Project button, enter a project name of your choice (e.g. SugarCRM OIDC), and then click "Create".
      GoogleConnector CreateProject
    • If you do not see the Create Project button, then click "Select a project" in the navigation bar. Click "New Project" in the Select a project window, enter a project name of your choice (e.g. SugarCRM OIDC), and then click "Create".

    Google SelectAProject NewProject

  4. Next, click the Google APIs logo in the navigation bar and the APIs & Services page will open with your newly created project selected (e.g. SugarCRM OIDC). Click "Credentials" on the left tree menu.
  5. On the Credentials page, click "+ Create Credentials" and then select "OAuth client ID" for the credential type.
    Note: If this is your first API project, Google will prompt you to configure the OAuth consent screen first. Users will see this screen when your application requests access to their private data. Click on the "Configure Consent Screen" option and then proceed to step 6. 
    Google CreateCredentials OAuthClientID
  6. On the OAuth consent screen, select "Internal" as the user type then click "Create". On the following screen, enter the application name of your choice (e.g. SugarCRM OIDC) then click "Save". Now, click "Credentials" on the left tree menu, click "+ Create Credentials", and select "OAuth client ID".
    Note: Skip this step if you have already configured the OAuth consent screen.
  7. Select "Web application" on the Create OAuth client ID screen then enter the Authorized Redirect URIs.  
    Note: Access the SugarCloud Settings console to obtain the Redirect URI value by clicking the Authentication tab, selecting "Setup OIDC support", then selecting the "Enable OIDC Authentication" option. Copy and paste the Redirect URI value to the URIs field as shown below:
    Google CreateOAuthClientID
  8. Click "Create" to generate your unique credentials. The Client ID and Client Secret information will display in a pop-up window. Record both of these values as they are required when configuring OIDC in SugarIdentity via the SugarCloud Settings console.

Once you have obtained the Client ID and Client Secret information, navigate back to the SugarCloud Settings console to configure the OIDC authentication and complete the fields as follows:

  • OIDC Server Authentication Endpoint : Enter https://accounts.google.com/o/oauth2/v2/auth.
  • OIDC Server Token Endpoint : Enter https://oauth2.googleapis.com/token.
  • OIDC Server Userinfo Endpoint : Enter https://openidconnect.googleapis.com/v1/userinfo.
  • Client ID : Enter the Client ID obtained in step 8 above.
  • Client Secret : Enter the Client Secret obtained in step 8 above.
  • Scopes : Remove the "address" and "phone" scopes from the field.

Application

Once you have configured Google and completed the OIDC configuration in SugarIdentity via the SugarCloud Settings console, going forward, when a user that is provisioned in SugarIdentity navigates to Sugar they will be redirected to Google's login page to enter their login credentials. Once the user's login credentials are authenticated in Google, they will be directed back to their Sugar instance and be automatically logged in. Please note that all of the organization's users in Google will be assigned to the SugarCRM OIDC application by default once it has been created for SugarIdentity. For best practices on creating users in SugarIdentity, please refer to the SugarIdentity Guide.

Last modified: 2022-05-16 21:12:24