How to Configure Google as an Identity Provider (IDP) using oAuth2.0 O

Use a private Google Cloud account as an IDP to authenticate and autho

  1. Home
  2. Console
  3. How to Configure Google as an Identity Provider (IDP) using oAuth2.0 OpenID Connect
Last updated 1 year ago
To use this article: sign in to eCourtDate here.

Use a private Google Cloud account as an IDP to authenticate and authorize internal users in your eCourtDate agencies.

Suggested Reading

 

eCourtDate's Identity Profiles (IDPs) allow you to configure oAuth2.0-based authentication and authorization flows for your internal users.

We recommend creating at least three separate IDP profiles:

  • Console IDP - for IT and technical users

  • Staging IDP - for business and testing users

  • Production IDP - for all users

 

eCourtDate's agencies feature uses a multi-tenant design with isolated databases and resources for each agency. For multi-agency regional or state customers, we recommend creating a separate agency for each district or physical location. For multi-agency city or county customers, we recommend creating a separate agency for each location, department or use case (such as an agency specifically for internal employee notifications).

A staging IDP can only authorize users on the staging region (used only for testing). A production IDP can authorize users on the chosen production region (one of us-east, us-west, us-south).

Step 1:

In eCourtDate Console, go to IDPs.

Click on Add IDP.

Choose the Sign-in value - this is used in your login URLs and should be relatively memorable (such as an acronym of your agency's name).

Choose the Region based on the desired eCourtDate region. Production regions are us-east, us-west, and us-south.

Click on Add IDP to confirm.

Add Console IDP Demo

You'll use the provided Sign-in, Redirect, and Logout URLs to configure the Google Client in Step 3.

Demo IDP URLs

Create a Google Application

Step 2:
  • Go to Google Cloud Console.
  • Go to APIs & Services.
  • Then go to oAuth Consent Screen, choose User Type Internal and click Create.

Google OAuth Consent Screen Internal

Complete the oAuth Consent Screen fields:

  • App Name (eCourtDate or the name your users refer to the integration as).
  • User support email (your internal help desk email).
  • App Logo (your logo or save and upload our logo here).
  • Application Home Page https://ecourtdate.com
  • Application Privacy Policy Link https://ecourtdate.com/terms-of-use
  • Application Terms of Service Link https://ecourtdate.com/terms-of-use
  • Authorized Domains https://ecourtdate.com
  • Developer Contact Information - your internal email or dev@ecourtdate.com

Google OAuth Consent Screen App Registration

Click on Save and Continue.

Configure Scopes

Add the following non-sensitive, read-only scopes:

  • ./auth/userinfo.email See your primary Google Account email address
  • https://www.googleapis.com/auth/userinfo.email
  • ./auth/userinfo.profile See your personal info, including any personal info you've made publicly available
  • https://www.googleapis.com/auth/userinfo.profile

To provide eCourtDate access to the user's group memberships, add the following read-only scopes:

https://www.googleapis.com/auth/admin.directory.group.member.readonly

https://www.googleapis.com/auth/admin.directory.group.readonly

See Google's API Scopes here.

Use Google oAuth2 Playground to Test Scopes.

ID Token Structure guide.

Try jwt.io to decode Identity Tokens (received from the playground or other testing).

Group member scopes are only required if you wish to use Google Groups to map to the User's enabled Roles and/or Agencies in eCourtDate. For example: if a user is a member of a Google Security Group, then create an eCourtDate Role with the same group name. If the user should only have access to a certain agency, then include the Agency Reference as the Role Prefix {01_Security} {02_Security}. User group memberships will automatically remain in sync with each user login. If the user's access is revoked, then the eCourtDate Role/Agency is detached on login or session expiration. Alternatively, use the Console IDP Default Role configuration to define an eCourtDate role for all authenticated users by the IDP, then designated Super Admins can manage eCourtDate Role/Agency assignments separately from Google Group memberships.

Read more about Roles and Permissions in eCourtDate here.

The above scopes are only used to identify a user after successful login through your IDP. The application does not make changes to your IDP - whether by or on behalf of the user.

Minimum OAuth User Read-Only Non-Sensitive Scopes

Click on Save and Continue to review the completed OAuth consent screen summary.

Step 3:

Under Google APIs and Services, go to Credentials.

Click on Create Credentials.

Choose OAuth Client ID.

For Application Type, choose Web Application.

For Name, choose your preferred name (ex: eCourtDate Client).

Authorized Javascript origins: ecourtdate.com

Authorized Redirect URLs: https://{region}.api.ecourtdate.com/oauth/{yoursignin}/redirect

The {region} and {signin} chosen from Step 1 should be used to construct the Redirect URL.

Click on Create.

Note the Client ID and Client Secret for the next step.

Step 4: 

In the Console IDP,  copy the OAuth Client ID and Client Secret to their respective values.

Update the following based on Google's oAuth2 servers:

Well Known URL: https://accounts.google.com/.well-known/openid-configuration

Base URL: https://accounts.google.com

Authorization URL: https://accounts.google.com/o/oauth2/v2/auth

Authorization Scope: your chosen scopes

Token Scope: your chosen scopes

Token URL: https://oauth2.googleapis.com/token

User URL: https://openidconnect.googleapis.com/v1/userinfo

End Session URL: https://oauth2.googleapis.com/revoke

Sample Google IDP Configuration

 

IDP Settings

  • Choose the Default Agency for all authenticated users. For multi-agency customers, we recommend using a Global agency that does not contain production data and is used primarily as a testing/training agency for new users.
  • Choose the Enabled Agencies for all authenticated users. Choose any additional agencies that users should have access to. If you enabled Group scopes in the Google OAuth Registration, you may optionally use Group memberships to auto-assign Enabled Agencies.

IDP Security Settings

Configure the following settings to block access to eCourtDate, regardless if the Google IDP successfully authenticates the user:

  • Allowed IP Addresses to add a comma-separated list of IP addresses.
  • Allowed User-Agents to add a comma-separated list of User-Agents.

Additional security settings:

  • Session Lifetime - defaults to 1 hour.
  • Alerts Notifications - comma-separated list of emails, phone numbers, and/or webhooks to receive IDP-related issues and security alerts.
  • Require MFA - use eCourtDate's MFA service regardless if the IDP required MFA (defaults to false).
  • Transfer Logs - use eCourtDate's SFTP Gateway to auto-transfer user Audit Logs by SFTP/S3 or in real-time with HTTPS JSON webhooks.

 

 

Get Help from the eCourtDate Team

Schedule a Virtual Meeting