Online Help | Desktop App

Configuring SSO authentication with Google

Introduced in 2021.1

Updated in 2023.2

This article explains how to integrate Alloy Navigator Express with Google for Single Sign-On, so your users can sign in to Alloy Navigator Express with their Google accounts.

PREVIOUS STEP: Before you begin, see Managing single sign-on (SSO) providers for basic information and prerequisites.

Register Alloy Navigator Express in Google

First, you need to register your Alloy web apps in Google, add the required scopes, and get an OAuth 2.0 client ID and client secret.

Define a consent screen and add scopes

Scopes express the permissions you request users to authorize for Alloy web apps and allow your apps to access specific types of private user data from their Google accounts.

  1. In the Dashboard navigation bar, click the APIs & Services option.

  2. In the APIs and Services navigation bar, click OAuth consent screen.

  3. Choose the user type for your project. Learn more about user types in Google projects.

  4. Specify app information about your Alloy web apps. Note that the App Name, User support email, and Developer contact information fields are mandatory.

  5. On the Scopes screen, click ADD OR REMOVE SCOPES and add the following scopes:

    • .../auth/userinfo.email
    • .../auth/userinfo.profile
    • openid

    Note that the required scopes are the top three scopes the dashboard offers. Select the check boxes as shown in the screenshot below.

    Click Update.

  6. Click Save and Continue to proceed.

  7. Navigate to the Summary screen, review your settings, and click BACK TO DASHBOARD.

Get an OAuth client ID and secret

Use the Credentials option to get an OAuth client ID and secret.

  1. In the APIs and Services navigation bar, click Credentials.

  2. Select + CREATE CREDENTIALS > OAuth client ID on the top.

  3. In the Application type list, select Web application.

  4. In the Name field, type in a name to help you manage OAuth for Alloy Navigator Express; for example: Alloy Web Apps.

  5. In the Authorized redirect URIs field, enter the redirect URIs for your Alloy Navigator Express web apps (the Web App and Self Service Portal):

    • Alloy web apps (Self Service Portal and Web App):

      • [Web App URL]/signin-oidc
      • [SSP URL]/signin-oidc

      IMPORTANT: The Web App URL and SSP URL must use HTTPS, not HTTP.

    • Alloy mobile apps (Alloy Navigator, Alloy Inventory Scanner, and Alloy Self-Service):

      • http://localhost:4000/

    Note that a single app registration serves all your Alloy web apps, as shown in the screenshot below. Add a redirect URI for every Alloy web app instance you want to use SSO.

  6. Click Create.

    The OAuth client is created, and the dashboard displays you the Client ID and secret. Copy the displayed values , you will need them later.

    Now you can close OAuth client created window.

    TIP: You can access your client ID and secret at any time in your Google Cloud Platform console, at the Credentials page.

  7. Go back to Oauth consent screen and click PUBLISH APP to make your Alloy web apps available for users Google accounts.

Create an SSO Provider record for Google in Alloy Navigator Express

To store Google metadata in Alloy Navigator Express, create an SSO Provider record using the Settings App. Here is what you will need. All these data are available in your Google Cloud Platform console.

  • Authority - the OpenID Connect endpoint URL (for Google, it is https://accounts.google.com);

  • Client ID - the OpenID Connect client ID provided by Google;

  • Client Secret - the client secret for the Alloy Navigator Express app provided by Google;

  • Full Name Claim - the claim where Google stores user full names. Alloy Navigator Express needs that claim for creating Person records for self-registering Self Service Portal customers. The default value is name.

  • User Name Claim - the claim where Google stores usernames (email addresses); those usernames must match usernames (email addresses) in Alloy Navigator Express accounts. The default value is emailaddress.

To add an SSO Provider record for Google:

  1. In Alloy Navigator Express Settings, go to Accounts and Roles > SSO Providers and select New > Custom from the Module menu. The Custom dialog box opens.

  2. In the Name field, type Google. Alloy Navigator Express users will see that name in their sign-in dialog as Sign in with [Name].

  3. In the Authority field, enter https://accounts.google.com.

  4. Provide the credentials of your Alloy web apps from Google:

    • Client ID - the unique identifier that Alloy apps will use when requesting an access token from Google.

    • Client Secret - the secret string that the Alloy apps will use to prove its identity when requesting an access token from Google.

  5. When users sign in, their user information from Google becomes available to Alloy Navigator Express. By default, the claims that carry information about the user include the user's email address, name, and preferred username.

    Typically, you can keep the default values in the Full Name Claim (name) and the User Name Claim (emailaddress) fields.

  6. Click OK to save your record.

NEXT STEP: Step 3: Configure the Alloy Navigator Express apps to use SSO.