How to set up gmail account sso for OAuth2

The administration platform allows you to use the Google account for OAuth2 authentication. The corresponding procedure is detailed in this document.

Prerequisites

First step: Create a client ID

This operation is done by a gmail user that will administer the authentication service from the Google page: https://console.developers.google.com. If you do not want to use your own account, you can create an administrative user in a preliminary step.

You have to authenticate with the corresponding Google account, and then you can create a project. In the example below, the project name is SageERPX3.

In this project, you must create credentials; under the APIs & auth section on the left list.
By using the Create a new Client ID option, the following page appears where you must define the following:

  • The application type should be a web application.
  • The origin URL called. In the example above, it is:
    https://www.my_server.com

    It can be a URL using http or https protocol, depending on the web server setup.
  • The redirect URL. It starts as the origin URL, followed by:
    /auth/oauth2/NAME/redirect

    , where NAME is the name of the service which has been chosen above in the prerequisites (here MyOauth2), and not by:
    /oauth2/callback

    as proposed by default.

When you click Create Client ID, the page appears as follows:

It includes:
* A client ID
* A client secret
* The previously entered URL

This page defines the authentication service that will be used by the update 9 web server.

When you connect as my_admin_account@gmail.com on the following URL: https://security.google.com/settings/security/permissions, you will find the access right for this user to the basic account information as shown in the following screen:

Second step: Create an Oauth2 setup for the update 9 web server

This step is done by using the Oauth2 service definition. A dedicated record must be created with the following information as defined in the screen above:

Third step: Link your users to their google account

For every user who needs to get connected to Sage X3 People, you have to:
* Assign Oauth2 as the authentication method.
* Select the right Oauth2 service that has been defined.
* Set the gmail address used for authentication in the Email field.

If you return to the Oauth2 setup definition, you will notice that the users using this authentication method are now listed.

How does the user connect?

The login screen contains buttons for different authentication methods. The user must click on the button which shows the name of the service (as defined in the prerequisites above) IN CAPITAL LETTERS. There may be several buttons below the headline "External Accounts". Example:

A direct link can also be typed and set in your browser favorites:
http://www.my_server.com/auth/oauth2/MyOauth2/loginStart.

When this is done, you are redirected to the Google site to authenticate on your Google account if this has not already been done. Any email address for a user defined as using this authentication mode will be accepted if the password is correct. The page appears as follows:

The first time you log in with Google, you will be prompted by Google whether the Sage X3 People application may get access to the email address of that Google account. If you answer yes, you are able to login. The Sage X3 People application will then be contained in the settings of that Google account, and this question will no more be asked until you decide to revoke it. The screen of a normal user having access to several applications looks like this one:

Note that you need to log in with Google only once until you log out of Google or delete the browser cookies. Therefore, the Google login screen may not appear next time.