Help

Page tree

Google OAuth 2.0 and OIDC SSO

Agiloft supports single sign-on (SSO) with Google OAuth 2.0 and OpenID Connect (OIDC) for authentication and identification. This article guides you through the steps to create a Google OAuth client for Agiloft and then configure your KB to route SSO logins to Google as the identity provider (IdP). It also includes instructions on how to log in with SSO after the integration and make sure other users log in with SSO as well.

Prerequisites

  • To complete the setup, you need admin access to the Google Cloud Console with permission to configure new applications.
  • Unlike SAML 2.0 SSO, where user records don't need to pre-exist in Agiloft because authenticated SSO logins can trigger automatic record creation, users can't log in with OAuth 2.0 SSO unless they already have a user record in Agiloft. Make sure each user who will use SSO has a user record in Agiloft. In addition, make sure the data in the record meets at least one of the following conditions. These conditions are used to match users for identification in Google:
    • The user's Email address in Agiloft matches their Gmail address.
    • The user's Login in Agiloft matches their Google login.

Set Up SSO in Google

Follow the steps below to create a project in Google and add Agiloft as an OAuth web client.

If the options you see in the console or your practices for adding OAuth 2.0 clients differ from those described here, refer to Google's documentation on OpenID Connect to complete the task.
  1. Log into the Google Cloud Platform Console as an administrator and go to APIs & Services.
  2. Create a new project:
    1. At the top of the screen, click the current project name to open the Select a resource dialog box.
    2. In the dialog box, click New project.
    3. Enter a project name, such as Agiloft SSO, and change the Organization and Location if needed.
    4. Click Create. After the project is created, make sure it's selected at the top of the screen.
  3. Next, create the consent screen for the new project. For information on consent screens, refer to Google's documentation on setting up consent screens.
    1. In the left sidebar, click OAuth consent screen, then click Get Started to configure the project.
    2. Under App information, enter the name of the application, such as Agiloft.
    3. In User support email, select the email address where users can get support, then click Next.
    4. Under Audience, select Internal to limit access to the app to users within your organization, then click Next.
    5. Under Contact information, enter the email address where Google should send project notifications, then click Next.
    6. Agree to the Google API Services User Data policy and click Continue.
    7. Click Create. The OAuth Overview is displayed.
  4. Next, click Branding in the sidebar. For information on branding, refer to Google's documentation on managing OAuth app branding. 
    1. For the App domain settings, you can enter the following URLs for Agiloft's home page, privacy policy, and terms of service:
    2. For Authorized Domains, add each applicable domain:
      • Add your company domain.
      • If your KB is in the Agiloft domain or you included Agiloft URLs in App domains, add agiloft.com.
      • If the domain for your KB is not agiloft.com or your company's domain, also add the KB domain.
    3. Click Save to save the changes.
  5. Next, create the Agiloft web client:
    1. Click Clients in the sidebar, then click Create Client at the top of the screen.
    2. For Application type, select Web application.
    3. Enter a Name for the client, such as Agiloft SSO Client.
    4. Leave Authorized JavaScript origins blank.
    5. Under Authorized redirect URIs, click Add URI and enter the following URI: https://DOMAIN_NAME/ui/oauth20sso. Replace DOMAIN_NAME with the domain for your KB. For example: https://example.agiloft.com/ui/oauth20sso. Copy this URI to a note to use later in the setup.
    6. Click Create.
    7. Once the client is created, copy the Client ID to your note. In addition, view the client details and copy the Client secret value to the note.
  6. Complete any other optional client configuration as needed. Agiloft client does not require specific Data Access scopes.

Now that the application is configured in Google, you can set up SSO in Agiloft.

Set Up SSO in Agiloft

Follow the steps below to set up SSO in Agiloft.

  1. Go to Setup > Access > Configure OAuth 2.0 Profiles and click New to add a profile.
  2. Leave the "Use full OAuth account name as a KB login name / email" checkbox selected.
  3. Enter a name for the OAuth 2.0 provider, such as Google.
  4. For the role of this OAuth 2.0 Provider, select OAuth20_SSO.
  5. Complete the remaining fields:
    1. Redirect URI: Overwrite the default value with the Authorized redirect URI you noted when you set up Google.
    2. Client ID / Application ID / Consumer Key: The Client ID from your note.
    3. Client / Consumer Secret: The Client secret from your note.
    4. Authentication URI: Enter Google's authentication endpoint: https://accounts.google.com/o/oauth2/auth
    5. Token URI: Enter Google's token endpoint: https://accounts.google.com/o/oauth2/token
  6. Click Finish to save the profile.

Agiloft is now configured to allow SSO with Google OAuth 2.0 and OIDC. Proceed to Log in with SSO for details on how to log in.

Log in with SSO

Once the integration is complete, users can access Agiloft with OAuth 2.0 SSO. Follow the steps below to create the OAuth SSO login URL and share it with your users.

  1. Create a URL in the following form:

    https://DOMAIN_NAME/ui/oauth20sso?project=KB+NAME

  2. In the URL, replace DOMAIN_NAME and KB+NAME with the values for your system. Use a plus sign (+) in place of any spaces in the KB name. For example:

    https://example.agiloft.com/ui/oauth20sso?project=Example+KB+Name

  3. Go to the new URL in a browser. If you are already authenticated with the IdP, you're forwarded directly to the Agiloft user interface. If you're not logged in to the IdP, you're forwarded to the IdP login page.
  4. Depending on how you want users to access Agiloft, you can choose one or more of the following options:
    • Send the URL to all users who should log in via SP-initiated OAuth SSO and ask them to bookmark it or add it to their favorites.
    • Add the URL to an existing webpage if you use a custom login method. Then direct users to that page.
    • Set up IdP-initiated SSO and send users to the IdP to access the Agiloft application. Refer to the documentation for your IdP to set up IdP-initiated SSO.
  5. For logins from Agiloft Contract Assistant applications, tell users to click Login via OAuth.

    Agiloft Contract Assistant Login screen

  6. If you manually created other hyperlinks for use in the system, you need to update those links to accommodate both SSO logins and standard login users. This step is only necessary for links you manually created. For information, see Hyperlink Syntax and Examples.

    For system-generated email hotlinks, you don't have to make any changes to accommodate SSO and non-SSO users. Based on a user's login method, Agiloft manages which hotlink URL they receive in email. Each time a user logs in, the system sets a hidden SSO Authentication Method field in the user's record. If a user logs in with a standard username and password, the value is STANDARD. If a user logs in with OAuth 2.0 SSO, the value is OAUTH20. This value determines whether email hotlinks go to login.jsp or oauth20sso. Don't edit a user's SSO Authentication Method because you might prevent them from accessing the system.

  7. Finally, to make sure users can't circumvent SSO and log in to Agiloft directly, follow the instructions in Force SSO Login below.

Force SSO Login

To force users to log in with SSO, you can prevent them from accessing Agiloft with their username and password. Follow the steps below to make the Password field optional in the Employees table and then remove passwords for employees who should log in with SSO.

  1. First, make the Password field optional in the Employees table:
    1. Go to Setup Employees and go to the Fields tab.
    2. Edit the Password field and go to the Options tab.
    3. Find the Make this a required field setting and change the value from Yes to No.
    4. Click Finish to save the change.
  2. Next, for employees who should always use SSO to log in, reset their passwords to a null value:
    1. Go to the Employees table and select each user who should use SSO from this point on.
      Don't select every user in your system. It's best to leave at least one administrator unchanged, if not the whole admin team, in case you encounter SSO issues in the future that prevent users from logging in with SSO.
    2. Click Edit Fields in the action bar.
    3. Select Password, then click Next.
    4. On the Update tab, select A formula.
    5. In the Password field, enter the variable $global.null and click Next.
    6. On the Confirm tab, clear the Run rules and Update defaults checkboxes, then click Finish.

Now, users whose passwords were reset can only log in with SSO.

If you also allow some external users to log in with SSO, repeat the process for the External Users table.