Powered by its Identity & Access Management platform Carerix offers multiple ways to setup Single Sign-On. It allows customers to configure various identity providers for user authentication. This article provides a step-by-step overview of the process of configuring Google as an identity provider for Carerix.
Setup of an OpenID Connect Application in OKTA and an Identity Provider in Carerix
Carerix and Google need to be configured in parallel so make sure you have administrator rights in both applications or have the people with these permission on the table when you start.
➕ 1. Create a new identity provider in Carerix
Login to Carerix and in the maintenance menu section open the Identity Access menu.
Open the Identity Provider Tab.
Click on the 'Add Provider...' button on top of the overview. Select 'Google'.
Fill out the 'Alias' field with a value of your choice. After saving the Identity Provider setup it is not possible to change this value.
See the 'Redirect' URL is created on the fly. Copy this URL to your clipboard. We need it on the Google side later on.
Select Active is YES
Select Automatically Redirect is NO
Choose a Display Name. Recommendation: 'Google'.
Gsuite Domain: enter your Gsuite domain here.
Now, do not close the Identity Provider configuration window. Leave the browser tab open and open a new one to start creating your Google Application.
➕ 2. Create a new Google Application
Login to your Google development console. This is where we are going to configure the Google API's for Carerix.
Click on the dropdown near the Google APIs or Google Cloud logo and select 'New Project':
Now click on 'New Project':
In the new project screen choose a project name, select the applicable organization and click on 'Create':
You will be redirected to a page similar to the one in the following screenshot. Scroll down to the 'Getting Started' section and click on 'Explore and Enable APIs':
On the following page click on 'Credentials' in the left side menu:
The Google Developers Console reminds you about the fact that we need to Configure the consent screen. This is mandatory for our integration and it basically configures what your users get to see when we redirect them to Google for signing in. Click on this button:
As identity providers only work with pre-configured users in Carerix (and you probably do not want external people able to use your SSO) select 'Internal'. If - for any reason - you want to allow any Google account to sign in to you application select 'External'.
On the next page there are a lot of settings to be defined. Do so as follows:
App name: Any name you would like to give to this Google Application. But as you are using it as an Identity Provider for Carerix we would recommend to call it Carerix.
User support email: pick the appropriate address from the list
App logo: Optional. Upload your organisations logo to be displayed in the Google consent screen.
Application homepage: https://customer.carerix.net
Application Homepage link: this is the URL of your Carerix application (customer.carerix.net).
Application Privacy Policy link: https://carerix.com/carerix-5-privacy-statement/
Authorized domains: click on 'Add Domain' and add both carerix.net and carerix.com
Developer contact information: your email address (or from the one that will be maintaining this Google application.
When done you can click on save. You have successfully created a Google Application which can be used as an Identity Provider.
🔐 3. Create credentials for your Google Application
Now we have to generate the credentials that are needed in Carerix to authenticate with your Google Application. To do so click again on the 'Credentials' menu on the left:
Click on 'Create Credentials':
Then on 'OAuth client ID':
Now select 'Web Application' as the type of your application, add a name for your application (optional) and into the Authorized redirect URIs field you should add the URL you saved earlier. Then click on 'Create':
You now have successfully created a ClientID and Client secret. Both should be copied and brought to the Carerix IDP.
🏁 4. Finalize Identity Provider configuration in Carerix.
Now we return to the Carerix application, more specifically to the configuration of the Identity Provider we started in step 1. You now have the Client Secret and Client ID from your Google application. Copy/Paste them into the respective fields in Carerix.
Explanation of the Identity Provider fields for Google in Carerix:
Alias - is a mandatory field which cannot be altered after saving it for the first time. It will be used in the redirect URL. Changing the alias later on would mean a new redirect URL hence a change on the Google configuration too. What alias you choose is free. We would suggest something like 'goolesso'.
Active - defines whether this Identity Provider will be available for users to login to Carerix.
Automatically redirect - indicates whether visitors of customer.carerix.net are being redirected to the Google login page immediately and automatically (YES) or not (NO). Note: be advised to leave this option off until you have tested your configuration working properly. The value for this setting can be changed any time.
Display Name - defines the button label used on the login screen of Carerix for this Identity Provider. It can be changed afterwards anytime.
GSuite domain - your Gsuite domain name
Client id - use the client ID as generated in your Google application.
Client secret - use the client secret as generated in your Google application. Note: if you use copy/paste: check if you do not accidentally copy an extra space. This would mean an invalid client secret and result in not functioning identity provider.
Redirect URL - Will be generated after filling out the alias field and is needed in the setup of your Google Application.
📛 5. Adjust user names in Carerix
To be able to successfully use Microsoft Azure Active Directory as an identity provider in Carerix it is necessary to make sure that all usernames in Carerix are equal to the email addresses of those users registered in your Google domain.