Use Google as SSO Provider
Important | |
When using SSO, you need to create user accounts in ClickHelp for each SSO user that authenticates with a 3rd-party service. This is required so ClickHelp can apply specific permissions to the authenticated user, and those permissions are configured in a ClickHelp user profile. You can use ClickHelp REST API to bulk-create users or to create a new ClickHelp user every time a new application user is getting created on your end. |
You can log in to ClickHelp using Google as the OpenID Connect provider. Further on, you will find the steps to set up a Google Web Application and configure your ClickHelp portal to use this OpenID Connect provider.
Setting up a Google Web Application
To set up the Google Web Application, first of all, you need to register your ClickHelp portal as a web application in the Google Developer Console. Then, when you open the console for the first time, it asks you to create a new project.
-
Specify a name for a new project and click Create:
-
Once the new project is created, open the APIs & Services screen and click Credentials to continue setting things up.
-
On the Credentials screen, click the Create credentials button and select the OAuth client ID option.
-
The next step is setting up the consent screen responsible for what the Google login screen should show when logging into the project you just created. This step is optional if you have already set up the consent screen. Click the Configure consent screen button:
- Select the User Type that suits you:
- Specify the application name, responsible person email address, the list of authorized domains, and some other optional parameters if needed,.
-
The authorized domain is required and should be clickhelp.co. If you set up a custom domain for your portal, you may need to add this domain to the list as well.
-
In the next step, you may add or remove scopes. First, ensure that the Scopes for Google APIs list contains the email and openid scopes.
-
You can generate the Client ID and Client Secret for the application when the consent screen is set. To do this, specify the application type as a Web application, type the internal application name, and specify the application authorized redirect URL. It must be this (a slash at the end is required): https://<YOU_PORTAL_NAME>.clickhelp.co/oauth2/
-
Google will generate the Client ID and Secret values for you:
-
To proceed to the ClickHelp settings, we need to get the authentication and token URLs from Google. You can skip this step if you are setting up the predefined Google provider in ClickHelp. To get these values, click the Download button next to the newly created application name and download a JSON file containing all the required data.
Configuring ClickHelp
Now, let's set up ClickHelp to work with Google as OpenID Connect Provider. Follow these steps:
-
To make a ClickHelp portal work with an OpenID Connect Provider, we need to register a client in the portal. You can do this in the Portal Settings editor by a user with administrator permissions:
-
Open the Single Sign-on page under the Administration menu, select the predefined Google connection, specify Client ID and Client Secret obtained from Google earlier. Enable the connection and click Save to save the settings.
-
Once the provider connection settings are saved, you may specify it as the default provider. To do this, select the client name in the Login with combo box.
That's it, the OpenID Connect functionality for Google is enabled in the portal! -
If you want to continue using the ClickHelp login dialog, leave the Log with field untouched. You will be able to login to your portal using Google credentials from the Login dialog by clicking the corresponding button:
Using the Google OpenID Provider
To check how the automatic authentication via OpenID Connect works, we need to ensure that we have a user with an email address corresponding to a valid Google account.
-
Let's' open the User Management page:
- Add a new user with an address bound to a valid Google account:
-
Once the user is created, log out from your admin account or open a new browser instance in the Incognito mode. Also, please make sure that the test Google account is not logged in within this browser session. You can open the Google+ page to make sure that no Google accounts are logged in.
-
Suppose you specified Google as the default login option. In that case, you can open an article from a restricted publication by a direct link that can be a link provided by your portal or application as a reference to a Help topic, FAQ article, and so on. You will be automatically redirected to the Google account login page as you are not logged in to Google at the moment.
-
Once you provide the valid credentials, you will log in to ClickHelp.
-
Now, log out from ClickHelp and open this page once again. Since you are logged in to Google in this browser session, ClickHelp will log you in automatically without showing any login prompts.
If you want the OpenID Connect provider always to show the login prompt, you can change the Login behavior parameter to Require login prompt:
-
This time, if you are logged into Google, you still see the Google login prompt when logging into ClickHelp:
-
Even if you specified Google as the default login option, it is still possible to log in to a ClickHelp portal using its native credentials (ClickHelp user account, no SSO), you can do this by following the Login link with a special no-sso parameter: https://<YourPortalName>.clickhelp.co/login/?error=no&no-sso=true
Well done! You have successfully set up Google as the OpenID Connect provider for your online documentation portal.