Configure SSO/OAuth with Google
For general information on OAuth and how you can get your Single Sign-On (SSO) with working with SpamExperts, see Configure OAuth/Single Sign-On (SSO).
Step 1 - Configure Google API Console
- Login to Google API Console
- Add a project:
- Create OAuth consent. Enter:
- Email address: Your email address
- Product name: Project name
- Homepage URL: https://primary.domain.invalid
- Product Logo (optional)
- Privacy policy URL (optional): Link to your Privacy policy
- Terms of services URL (opional): Link to your Terms of Service
- Click Save
- Create OAuth consent. Enter:
- Setup OAuth credentials:
- Click OAuth client ID
- Select WEB application
- Add a name e.g.test
- Authorized JavaScript origins
- This should contain the hostname of your cluster and the branded / custom hostname that you’ve chosen to use in your branding
- This should contain both https:// and http:// links e.g.
- https://mycustom.demo-domain.invalid (branded hostname)
- http://mycustom.demo-domain.invalid (branded hostname)
- Authorized redirect URIs - needs to point to the authorized redirect endpoint setup on your cluster
- This should contain the branded / custom hostname that you’ve chosen to use in your branding
- This should contain both https:// and http:// links e.g.
- http://mycustom.demo-domain.invalid/rest/auth/openid/authorize/mailbox
- https://mycustom.demo-domain.invalid/rest/auth/openid/authorize/mailbox
- Click Create
- Client ID number
- Client Secret
This returns:
These are required for the interface setup.
Step 2 - Configure Google Details in SpamExperts
- Log into your SpamExperts Control Panel using your branded URL (this is set up in the Hostname field in the Branding Management page. See Create a Custom Control Panel URL)
- In the Admin Level Control Panel, select Branding > Branding Management
- Ensure that SSO/OAuth login for email users is enabled
- Add the label text that will be displayed on the login button
- Click Save
- Navigate to the domain, by selecting General > Domains Overview and click on the relevant domain
- Select Users & Permissions > OAuth Settings and make sure that OAuth login is toggled on
- Complete the following details:
- Provider URL - For Google setup this will always be: https://accounts.google.com
- Client ID - This was provided in Step 1 - Configure Google API Console (above)
- Client Secret - This was provided in Step 1 - Configure Google API Console (above)
- Token Endpoint - for Google this will always be: https://www.googleapis.com/oauth2/v4/token
- Authorization Endpoint - For Google this will always be: https://accounts.google.com/o/oauth2/v2/auth
- User info endpoint - For Google this will always be: https://openidconnect.googleapis.com/v1/userinfo
- User Identification Method - select Verified Email
- Jwks Url - For Google this will always be: https://www.googleapis.com/oauth2/v3/certs
- Use Nonce Validation - Select Yes
- Click Save
The login page for users on that domain will now display the new login button allowing authorization with Google OAuth2.0.
Although we strive to provide the most up-to-date information, the instructions covered in the Google configuration may change without our knowledge. To ensure you have the correct up-to-date information, please refer to Google's website. For Google's OAuth 2.0 authentication details see https://developers.google.com/identity/protocols/OpenIDConnect.