Setting up Google Single Sign-on in coreFORCE

coreFORCE (Advanced and above) supports Single Sign-On (SSO) using Google or Microsoft identity platforms.  This integration is implemented using OpenID Connect (OIDC)*.  SSO allows employees in a Google or Microsoft workspace to sign in with the same account they use to access their company email.**

Note:this documentation is a work in progress and not all options may be explained.

Google OIDC setup

1. To get started, you will need a Google account that is part of a paid Google Workspace account (not a gmail.com account). The SSO integration will be set up as a Cloud project linked to a Google account, so it is recommended to use a Google account that is expected to remain with the organization long-term (for example, the primary admin account, not an account created for a temporary intern).
   
   
2. Follow the instructions at the following Google link: https://developers.google.com/identity/openid-connect/openid-connect
   
   
3. Once the Cloud Account has been set up and the application has been created, you will need to create OAuth credentials that will be placed in coreFORCE.  Click Create Credentials and select OAuth Client ID from the dropdown that pops up.
   
   
   
4. Select "Web Application" as the Application Type, and "Internal" as the User Type. You will be prompted to configure the consent screen before creating credentials.  You will need to enter a name for your application and a contact email for the consent screen.
   
5. On the Scopes Screen, select everything under the non-sensitive scopes, including "openid" "email" and "profile"
   
6. On the credentials creation screen, enter the following information:
   Name:(whatever will help you remember this is for your coreFORCE site)
   Authorized redirect URLs: (your website + /callback).
   For example, if your site was myonlinestore.com, you would enter https://myonlinestore.com/callback
   Be sure to enter all the variations of the domain name you use, for example, https://www.myonlinestore.com/callback, https://myonlinestore.coreware.com/callback
   
   
   
   
7. Copy the Client ID and the Client Secret from that page.  In coreFORCE, go to Login Provider Credentials (using the Shift Shift page chooser), click Add, select Google from the dropdown, and enter the Client ID and Client Secret that you copied.  For Discovery URL, enter the following:
   https://accounts.google.com/.well-known/openid-configuration
   
   Is is recommended to leave the "public access" and "allow create user" boxes blank. "Public Access" will show the SSO login buttons to end-users on your front end site, which is likely not desirable. "Allow Create User" will allow coreFORCE to create new users when it receives a callback from SSO. This is usually not desirable for administrator users either.
   
   
   
   
8. After saving changes, you will see a "Login with Google" button on your backend login form.  The Login with Google button will redirect you to Google to login with a Google account.  To link an existing coreFORCE user to Google, you must create the custom field SSO_LINK_USER (type checkbox), and have that checkbox checked for the user.
   

* coreFORCE does not support SSO via SAML and there are no plans to implement SAML at this time.

** There are currently no plans to support SSO for consumers using a public gmail.com or outlook.com account.