Curiosity supports User Management via Google Sign-In, also referred to as Google Single Sign-On (SSO). Rather than maintaining names, email addresses, profile pictures, and passwords for Users that may log into the application, you can connect with accounts that already exist in your Google organization (meaning that Users are not burdened with yet another password to remember).
To do so, you require three pieces of information:
- a "Client ID"
- a "Client Secret"
- a "Domain for accounts"
These need to be associated with a Google "application" that is configured to work with Curiosity. To create one, follow the instructions below.
It is presumed that you have administrative privileges to make the changes to your Google organization. It is also presumed that you have an administrator account for your Curiosity application.
Registering a Google application
Go to https://console.developers.google.com and ensure that you are logged in with an account that has access to make changes. If you are uncertain then try to follow the steps below and talk to your administrator if any of them result in any "unable to access" or "access denied" error.
Click the "Create Project" link in the dashboard.
Enter a name such as "Curiosity SSO".
Leave the "Organizational" and "Location" drop-down list values as their defaults. You will be creating a sign-in application that only accounts from your organization can sign-in with.
(Note: It's possible to create an application that allows any Google Account to log in but you must submit your application to Google for verification, which is not necessary when creating an "Internal" application)
Click "Create". You may have to wait a few seconds for Google to create the application, during which you will see a spinner animation displayed.
Click "OAuth consent screen" in the menu on the left and then select "Internal" and click "Create".
Enter an "Application name"—it's fine to use "Curiosity SSO" again.
Some fields allow for customization of the Google login screen that will be presented to Users, such as "Application logo" and "Support email". These are optional and you do not need to set them at this time. Should you wish to change them in the future, you can access this view again by clicking "OAuth consent screen" in the menu on the left and then by clicking the "Edit App" link alongside the application name.
Click "Credentials" in the menu on the left and then "+ Create Credentials" (which appears at the top of the screen) and then "OAuth client ID".
Select "Web application" in the "Application type" drop-down list and leave the "Name" as the default generated value.
You need to tell the SSO process how to get back to Curiosity after a successful login, which is the purpose of the Redirect URI. The format of the URI is:
If your Curiosity application is hosted by us then it will look something like this:
If you have installed a local instance of the application with the default settings then it will look like this:
Click "Add URI" in the "Authorized redirect URIs" section, type in the appropriate URI and then click "Create" at the bottom of the form.
You will be presented with a popup that displays "Your Client ID" and "Your Client Secret". The Client ID ends with ".apps.googleusercontent.com" and has two hyphenated alphanumeric sections before it. The Client Secret is shorter but contains a greater range of characters, such as symbols.
You can record these details now or you can retrieve them at any time by clicking on "Credentials" in the menu on the left, clicking "Credentials" and then clicking on the name of the Client ID that you just created in the "OAuth 2.0 Client IDs" list.
These are two of the three pieces of information that are required to configure Google SSO in Curiosity. The third ("Domain for accounts") will be explained in the next section.
Entering the details into Curiosity
Click the menu button at the top left, then click "Settings", then "Accounts" and then "Single Sign-On".
(If you don't see a "Single Sign-On" option and the only item under "Accounts" is "Profile" then you are not logged into Curiosity with an administrator account)
Click "Google" and then enter the Client ID and Client Secret that you generated above.
The "Domain for accounts" field is optional but it is highly recommended that you populate it. The sign-in process passes this value to Google and if the User is already logged into one or more Google accounts, they will only be offered to choose one that is for the specified domain. If they are not logged into a Google account currently, they will be asked to enter their email address but the domain will be fixed to the specified value.
Since the application you configured earlier was set to "Internal", only Users associated with the organization are allowed to log into it. If "Domain for accounts" is not set then Users could attempt to log in with a Google account that is not connected to the organization, which will result in the Google page presenting an error after the account is logged into. Setting "Domain for accounts" correctly makes for a smoother User experience, with less chance of making preventable mistakes.
Google SSO is now configured for this application.
To test it, log out (by clicking the user name at the top right and then clicking "Logout" in the panel that appears). The log in screen will now present a "Log in with Google" option.
Click "Log in with Google " and you will be redirected to a Google page where you can select from any applicable accounts that you are already logged in as or you may enter an email address for an account that you are not currently logged in as. In the latter case, you will be prompted for your password.
(You may customize this form to a degree, such as adding changing the displayed application name or adding your company logo, a support email address, or a terms and services link—the previous section described how to do this)
Once you have selected an account (and password, if required) then you will be redirected back to the Curiosity application as a logged-in User relating to the email address that you specified.
If a User account does not exist in Curiosity for the email that you chose then one will automatically be created (so that the Curiosity application administrators can set access rights and permissions). The email, name, and profile picture information from the Google account will be used to populate the account in the Curiosity application. If a User account already existed for the specified email then any permissions that have been set in will not be altered but the name will be updated if the name in the Google account does not match the name in the Curiosity User account.
Removing the "Log in with Google" option
If you wish to remove Google SSO as an option for your Curiosity application then go back to Menu / Settings / Accounts / Single Sign-On / Google, clear the "Client ID" text and click Save. This will remove all three pieces of SSO configuration from the Curiosity application and the "Log in with Google" option will no longer be presented.
You must enter the Client ID and Client Secret values correctly. If either of them is wrong then you may experience one of the following:
- If the Client ID is wrong then you will be shown an error from Google as soon as you are redirected from Curiosity to Google.
- If the Client ID is correct but the Client Secret is wrong then you will be able to select an account but you will receive an error when you are redirected back to Curiosity.
- If no "Domain for accounts" is specified and the User selects an account that is not related to the organization configured for the application then an error will be displayed by Google after the account is selected.
It is also of vital importance that the "Redirect URI" that you set in the Google Console earlier was correct. If this is not correct but everything else is right then you will be able to select a Google account but, instead of being redirected back to Curiosity, you will receive an error: