Google SSO

Amazon Cognito integrates with Google to enable existing Gmail and GSuite users to sign-on to Amorphic Data Cloud. This section explains how to register and set up your application with Google as an identity provider.

What is Single Sign-On?

Single sign-on (SSO) is an authentication method that enables users to securely authenticate with multiple applications and websites by using just one set of credentials. SSO works based upon a trust relationship set up between an application, known as the service provider, like Amorphic Data Cloud and an identity provider, like Google. This trust relationship is often based upon a certificate that is exchanged between the identity provider and the service provider. This certificate can be used to sign identity information that is being sent from the identity provider to the service provider so that the service provider knows it is coming from a trusted source.

Pre-requisites for Google Identity Provider

Before we proceed with the Google IDP setup, we need the following pre-requisites:

1. Google Developers account -https://console.developers.google.com/
2. Amazon AWS account
3. A Cognito user pool with an application client and a user pool domain

Steps to register Amorphic app with Google

• Create a Google API Console project
• Get OAuth 2.0 client credentials
• Update Amorphic with credentials

Create a Google API Console project

1. Login to Google Developer console using this link. If there are no projects created within the console then you should see a webpage like below image. Click on the CREATE PROJECT

If there are existing projects within the console then you can click the projects dropdown menu on top-left corner and then click NEW PROJECT

2. In the New Project page, enter a Project name. For Location, choose BROWSE, and then select an organization (if applicable). Choose CREATE.

Get OAuth 2.0 client credentials

1. In the Google API Console, on the Credentials page, choose Create credentials, and then choose OAuth client ID.

2. On the Create OAuth client ID page, for Application type, choose Web application.

3. Enter OAuth client Name. This name is only used within the Google console to identify the client.

4. For Authorized JavaScript origins, enter your Amazon Cognito domain. Amazon Cognito domain value can be found in AWS Management Console -> Services -> Cognito -> Manage User Pools -> select user pool -> Domain name (in left navigation pane):

   https://<yourDomainPrefix>.auth.<region>.amazoncognito.com

Note

Replace yourDomainPrefix and region with the values from your user pool.

5. For Authorized redirect URIs, enter below URI:

   https://yourDomainPrefix.auth.region.amazoncognito.com/oauth2/idpresponse

Note

Replace yourDomainPrefix and region with the values from your user pool.

6. Click CREATE and it will generate Client ID and Client Secret.

7. Note that Google automatically adds the domain of the URI added in the previous step to the OAuth consent screen.

8. In the OAuth client dialog, find the Client ID and Client Secret, and then note them for later. You'll need these when configuring Google in Amorphic application.

Update Amorphic with credentials

1. In Amorphic CMP (customer management portal), select IDP provider as Google and update the values.

• IDP Client Id in cmp corresponds to Client ID retrieved from Google
• IDP Client Secret corresponds to Client Secret from Google

Once the values are added, click on Update IDP Details. This will take around 45-60 mins to get reflected in the login page.