Use a private Google Cloud account as an IDP to authenticate and authorize internal users in your eCourtDate agencies.
Suggested Reading
- Read Google's Guide on OpenID Connect.
- Read Google's Guide on Setting Up oAuth2.0.
- Read Google's Guide on Using OAuth2 for Web Server Applications.
eCourtDate's Identity Profiles (IDPs) allow you to configure oAuth2.0-based authentication and authorization flows for your internal users.
We recommend creating at least three separate IDP profiles:
-
Console IDP - for IT and technical users
-
Staging IDP - for business and testing users
-
Production IDP - for all users
eCourtDate's agencies feature uses a multi-tenant design with isolated databases and resources for each agency. For multi-agency regional or state customers, we recommend creating a separate agency for each district or physical location. For multi-agency city or county customers, we recommend creating a separate agency for each location, department or use case (such as an agency specifically for internal employee notifications).
A staging IDP can only authorize users on the staging region (used only for testing). A production IDP can authorize users on the chosen production region (one of us-east, us-west, us-south).
Step 1:
In eCourtDate Console, go to IDPs.
Click on Add IDP.
Choose the Sign-in value - this is used in your login URLs and should be relatively memorable (such as an acronym of your agency's name).
Choose the Region based on the desired eCourtDate region. Production regions are us-east, us-west, and us-south.
Click on Add IDP to confirm.
You'll use the provided Sign-in, Redirect, and Logout URLs to configure the Google Client in Step 3.
Create a Google Application
Step 2:
- Go to Google Cloud Console.
- Go to APIs & Services.
- Then go to oAuth Consent Screen, choose User Type
Internal
and click Create.
Complete the oAuth Consent Screen fields:
- App Name (eCourtDate or the name your users refer to the integration as).
- User support email (your internal help desk email).
- App Logo (your logo or save and upload our logo here).
- Application Home Page
https://ecourtdate.com
- Application Privacy Policy Link
https://ecourtdate.com/terms-of-use
- Application Terms of Service Link
https://ecourtdate.com/terms-of-use
- Authorized Domains
https://ecourtdate.com
- Developer Contact Information - your internal email or
dev@ecourtdate.com
Click on Save and Continue.
Configure Scopes
Add the following non-sensitive, read-only scopes:
./auth/userinfo.email
See your primary Google Account email address- https://www.googleapis.com/auth/userinfo.email
./auth/userinfo.profile
See your personal info, including any personal info you've made publicly available- https://www.googleapis.com/auth/userinfo.profile
To provide eCourtDate access to the user's group memberships, add the following read-only scopes:
https:/
https://www.googleapis.com/auth/admin.directory.group.readonly
Use Google oAuth2 Playground to Test Scopes.
Try jwt.io to decode Identity Tokens (received from the playground or other testing).
Group member scopes are only required if you wish to use Google Groups to map to the User's enabled Roles and/or Agencies in eCourtDate. For example: if a user is a member of a Google Security Group, then create an eCourtDate Role with the same group name. If the user should only have access to a certain agency, then include the Agency Reference as the Role Prefix {01_Security} {02_Security}. User group memberships will automatically remain in sync with each user login. If the user's access is revoked, then the eCourtDate Role/Agency is detached on login or session expiration. Alternatively, use the Console IDP Default Role configuration to define an eCourtDate role for all authenticated users by the IDP, then designated Super Admins can manage eCourtDate Role/Agency assignments separately from Google Group memberships.
Read more about Roles and Permissions in eCourtDate here.
The above scopes are only used to identify a user after successful login through your IDP. The application does not make changes to your IDP - whether by or on behalf of the user.
Click on Save and Continue to review the completed OAuth consent screen summary.
Step 3:
Under Google APIs and Services, go to Credentials.
Click on Create Credentials.
Choose OAuth Client ID.
For Application Type, choose Web Application.
For Name, choose your preferred name (ex: eCourtDate Client).
Authorized Javascript origins: ecourtdate.com
Authorized Redirect URLs: https://{region}.api.ecourtdate.com/oauth/{yoursignin}/redirect
The {region} and {signin} chosen from Step 1 should be used to construct the Redirect URL.
Click on Create.
Note the Client ID and Client Secret for the next step.
Step 4:
In the Console IDP, copy the OAuth Client ID and Client Secret to their respective values.
Update the following based on Google's oAuth2 servers:
Well Known URL: https://accounts.google.com/.well-known/openid-configuration
Base URL: https://accounts.google.com
Authorization URL: https://accounts.google.com/o/oauth2/v2/auth
Authorization Scope: your chosen scopes
Token Scope: your chosen scopes
Token URL: https://oauth2.googleapis.com/token
User URL: https://openidconnect.googleapis.com/v1/userinfo
End Session URL: https://oauth2.googleapis.com/revoke
IDP Settings
- Choose the Default Agency for all authenticated users. For multi-agency customers, we recommend using a Global agency that does not contain production data and is used primarily as a testing/training agency for new users.
- Choose the Enabled Agencies for all authenticated users. Choose any additional agencies that users should have access to. If you enabled Group scopes in the Google OAuth Registration, you may optionally use Group memberships to auto-assign Enabled Agencies.
IDP Security Settings
Configure the following settings to block access to eCourtDate, regardless if the Google IDP successfully authenticates the user:
- Allowed IP Addresses to add a comma-separated list of IP addresses.
- Allowed User-Agents to add a comma-separated list of User-Agents.
Additional security settings:
- Session Lifetime - defaults to 1 hour.
- Alerts Notifications - comma-separated list of emails, phone numbers, and/or webhooks to receive IDP-related issues and security alerts.
- Require MFA - use eCourtDate's MFA service regardless if the IDP required MFA (defaults to false).
- Transfer Logs - use eCourtDate's SFTP Gateway to auto-transfer user Audit Logs by SFTP/S3 or in real-time with HTTPS JSON webhooks.