Configuring SSO by using Google for IBM® TRIRIGA login

Starting in IBM TRIRIGA Application Platform 4.5, you can configure Google as the OAuth identity provider (IdP) for single sign-on (SSO) to log into TRIRIGA® with Google login credentials. There are several steps for configuring Google as the OAuth provider, which include registering the application in Google and configuring the OAuth provider details in TRIRIGA.

Note: SSO does not need to be enabled to use OAuth login. However, if SSO is enabled, OAuth login can still be used and may use a different IdP than the IdP for SSO.

Configuration steps

I. Registering OAuth application in Google

You can use Google as the OAuth provider for TRIRIGA application to provide a single sign on (SSO) login experience by using Google credentials. To configure Google as the OAuth provider, you must first register the TRIRIGA application in Google.
Important: The registration process described in this section is for information purpose only. Google might change the process at any time without notice, and IBM does not support the Google part of the registration process.
Procedure
  1. Log in to the Google Cloud Console by using your Google credentials: https://console.cloud.google.com/
  2. Click Select a project and then click NEW PROJECT.
  3. Specify the project name. For example: GoogleOAuth. The project is created, and you can view the newly created project in the Notifications pane.
  4. Select the project.
  5. In the search field type credentials and select the APIs & Services page.
  6. To configure the OAuth consent screen with information about your application, click CONFIGURE CONSENT SCREEN.
  7. Specify the configuration details in the following sections:
    • OAuth consent screen
      1. Select the user type as External and click Create.
      2. In the App information section, specify the App name and user support email address. You can specify the same email address that you have used to login to the Google application.
      3. In the Developer contact information section, specify the email address to get notifications about any changes to the project from Google.
      4. Click SAVE AND CONTINUE.
    • Scopes
      1. Click ADD OR REMOVE SCOPES.
      2. On the Update selected scopes page, search for openid in the Filter column.
      3. Click Update. Similarly, add the userinfo.email scope.
      4. Click ADD OR REMOVE SCOPES.
      5. On the Update selected scopes page, search for userinfo.email in the Filter column.
      6. Click Update and then click SAVE AND CONTINUE.
    • Test users
      1. Click ADD USERS. On the Add users page, specify the email address of the test user.
      2. Click SAVE AND CONTINUE.
    • Summary
      1. On the Summary page, you can view the summary of the configurations done for the consent screen.
  8. Click Credentials > CREATE CREDENTIALS > OAuth client ID.
  9. On the Create OAuth client ID page, in the Application type list, select Web application.
  10. Enter the application name.
  11. In the Authorized redirect URIs section, in the URIs field, enter the following value: <TRIRIGA base URL>/p/oauth/signon. For example: https://triapp.company.com/dev/p/oauth/signon
  12. Click Create. The OAuth client created page displays the client ID and client secret values that you can use to configure the OAuth provider in the TRIRIGA application.

II. Configuring OAuth provider in TRIRIGA

After you register an OAuth application in Google, you must enter the OAuth provider details in TRIRIGA. To configure the OAuth provider, you must create a Google OAuth profile record in TRIRIGA.

Procedure

  1. Log in to the TRIRIGA main portal.
  2. Navigate to Tools > System Setup > Integration > OAuth Settings.
  3. Select Add to add a new Google OAuth profile record.
  4. In the OAuth Setup section, specify the following OAuth settings:
    • Name: Enter the name of the OAuth profile that is going to be used for log in.
    • OAuth Provider: Enter the name of the OAuth provider as google.
    • Access Type: Select user delegate.
    • Description: Specify a description.
    • OAuth Application Key: Enter the value of the Client ID field that is obtained when registering the OAuth application in Google. See, Section I, Step 12.
    • OAuth Application Secret: Enter the value of the Client secret field that is obtained when registering the OAuth application in Google. See, Section I, Step 12.
    • OAuth Authorize URL: Enter the following URL value: https://accounts.google.com/o/oauth2/auth.
    • OAuth Token URL: Enter the following URL value: https://oauth2.googleapis.com/token
    • OAuth Redirect URL: Enter the value for: <TRIRIGA base URL>/p/oauth/signon. For example: https://triapp.company.com/dev/p/oauth/signon
    • OAuth Scope: Enter API permissions that are granted to an OAuth application. For Google, enter the following: openid+https://www.googleapis.com/auth/userinfo.email
    • My Profile Id Field: Specify the Gmail address that is used for log in to TRIRIGA.
    • User For TRIRIGA Login: Select the check box to enable log in to TRIRIGA using this OAuth provider.

III. Creating users in TRIRIGA

You must create user records in TRIRIGA so that the users can use their Google credentials to log in. For more information on creating a user, see Creating people records.
Note: When creating the employee record, the Gmail address must be specified as the email address for the record to log in to TRIRIGA.

IV. Log in to TRIRIGA

You can log in to TRIRIGA using the Google credentials by using the following URL: <tririga base url>/p/oauth/<OAuth profile name>/tririga. For example: https://triapp.company.com/dev/p/oauth/google/tririga.
Note: Replace the OAuth profile name with the name that you have provided in the Configuring OAuth provider in TRIRIGA section.

Log in to TRIRIGA by using your Google ID and password.