Google authentication

Relevant Products

Google authentication is available in BREEZE PRINT BREEZE MFD PRO PRINT PRO MFD

SAFEQ Cloud supports Google Workspace authentication for authenticating Workspace users to SAFEQ Cloud.

You can configure Google authentication to use OpenID Connect (OIDC) authentication alone, or in combination with service access authentication (implemented via Service Account). Configuring a service account is necessary to access user groups in Google Workspace, which may be used for access control or automation rules in SAFEQ Cloud.

Be aware that Google authentication always uses OIDC, which is incompatible with SAML Single sign-on.

For the breakdown of the advantages of OIDC and service access authentication methods, refer to the Authentication providers section.

Google Authentication is limited to Google Workspace accounts. Personal Gmail accounts are not supported.

Google Authentication currently does not synchronize cards or pins. Cards and pins may be assigned to users in SAFEQ Cloud UI. 

General settings

To add Google Authentication provider, perform the following steps:

1. Log in to SAFEQ Cloud Web UI and go to Users page and Authentication providers tab.

2. Click Add.

3. In Type, select Google.

4. Fill in the general settings:

   1. Name – An internal name used for identifying the particular authentication provider configuration. Should be prefilled with the selected Type.

   2. Domains – The domain names of the authenticating users. Add here the domain aliases that the users can use to log in. At least one domain in the list should match the domain part of the fully qualified username.
      

      

      For example, to allow user john.doe@acme.com to log in via this Authentication provider, enter the acme.com domain here.

   3. Priority – A number that determines the order in which authentication providers will be called until one succeeds. Higher-priority providers will be tried first.

   4. Active – If enabled, the authentication provider will be used for authentication. If disabled, this authentication provider will not be used for authentication. You can use this to disable the Authentication provider temporarily.

5. In the next steps, choose the authentication type or a combination of types.

   1. OIDC Built-in authentication – The default option suitable for basic use cases. This is the most convenient option if you don't need any special configuration or don't want to set up your own Google OIDC client manually.

   2. OIDC Customizable authentication – Choose this option if you need to configure your own custom Google OIDC client.

   3. OIDC Built-in or Customizable authentication together with Service account authentication  – Choose this option if you need to synchronize user groups to be used for access control or automation rules.

When the OIDC authentication is enabled (using either Built-in or Customizable config), you can choose whether to hide a login button for this authentication provider on the Login page via the Hide on Login page switch.

OIDC Built-in configuration

When using the built-in OIDC authentication, users will log in via a predefined SAFEQ Cloud Google client.

1. Log in to SAFEQ Cloud Web UI and go to Users page and Authentication providers tab.

2. Click Add and fill in the general settings (Type, Name, Domains, Priority, and Active).

3. OIDC Authentication section – Choose Built-in

   1. Hide on Login Page - Enable this option to hide the Google button on the SAFEQ Cloud Cloud login page. Otherwise the name displayed on the button is taken from the Name field.
      Example:
      

      

       

      

      If the Hide on Login Page option is enabled, no "Login via <Provider Name>" button will be displayed on the login screen. To authenticate via such an authentication provider, users need to fill in the username containing a domain matching the authentication provider, which will redirect them to the OIDC authentication flow (the same way as clicking the "Login via <Provider Name>" button.

4. Service account authentication section: Enable the Active toggle if you wish to use service account together with OIDC. See the Service account authentication section of this page.

5. Click Save.

6. Google users can now log in to SAFEQ Cloud.
   

Every user logged in via this provider will have the Authenticated Users group assigned. You can use this group to manage access controls.

Unless you also configure Service Account, no other groups will be synchronized. See Access Control.

Upon each user login, explicit consent to the Google application is required. This protocol is mandated by Google to enable SAFEQ Cloud to sustain an offline session. This ensures that the user's account remains synchronized, even when authentication methods such as card, PIN, or other non-Google-redirecting processes are utilized for accessing SAFEQ Cloud.

The necessity for an offline session can be circumvented through the configuration of a Service Account.

OIDC Customizable configuration

If you want to configure custom Google OIDC authentication, you must first configure Google Client registration and then use it for the authentication provider in SAFEQ Cloud.

1. Go to OAuth Consent configuration.

2. Select a Project or create a new one

3. If this is your first OAuth integration, select Internal or External, enter contact information and click Create

4. Go and edit your OAuth consent screen

5. Configure a name for your login app and a user support email address

6. In Authorized domains add the domains who are allowed to log in to SAFEQ Cloud

7. Save to continue to the Data Access section

8. Click on Add or remove scopes and add the .../auth/userinfo.profile and the openid scopes

9. Save, review the summary of your changes and finish

Configure a new OAuth Client ID

1. Go to Clients section

2. Click on Create Client

3. Select Web Application in the Application Type drop down menu, and enter an identifying name for your app

4. Fill Authorized redirect URIs according to your domain:

   1. https://{domain}/callback/oidc-login

   2. https://{domain}:8443/callback/oidc-login

5. Note the Client ID and Secret

.

Next, you must create the Authentication provider in SAFEQ Cloud, which will use the app registration you just created.

Creating an Authentication provider in SAFEQ Cloud

1. Log in to SAFEQ Cloud Web UI and go to Users page and Authentication providers tab.

2. Click Add and fill in the general settings (Type, Name, Domains, Priority, and Active).

3. OIDC Authentication section – In Type drop-down list, choose Customizable and fill in the fields accordingly:

   1. Client ID – The ID of the registered Google Client you created in previous steps.

   2. Client secret – The secret value you created for the registered Google Client in previous steps.

   3. Hosted Domain – May optionally be filled to streamline the login experience by prefilling the domain part of the login

   4. Callback domain for custom application – Select from the list of available domains the one that you defined in Google Client registration as Redirect URI in previous steps, e.g. print.acme.com .

   5. Custom token claim names – Click Show to change the mapping between the ID token and Google user attributes, such as username, name, and email.

   6. Hide on Login Page – Enable this option to hide the Google button on the SAFEQ Cloud Cloud login page. Otherwise the name displayed on the button is taken from the Name field.
      Example:

4. Service account authentication section: Enable the Active toggle if you wish to use service account together with OIDC. See the Service account authentication section of this page.

5. Click Save.

6. Google users can now log in to SAFEQ Cloud. 

Every user logged in via this provider will have the Authenticated Users group assigned. You can use this group to manage access controls.

Unless you also configure Service Account, no other groups will be synchronized. See Access Control.

Upon each user login, explicit consent to the Google application is required. This protocol is mandated by Google to enable SAFEQ Cloud to sustain an offline session. This ensures that the user's account remains synchronized, even when authentication methods such as card, PIN, or other non-Google-redirecting processes are utilized for accessing SAFEQ Cloud.

The necessity for an offline session can be circumvented through the configuration of a Service Account.

Service account authentication

To be able to synchronize user groups and use them for Access Control and Automation Rules, a service account must be created.

1. Follow the steps in Google documentation: https://developers.google.com/identity/protocols/oauth2/service-account#creatinganaccount .

2. As part of the key creation process, a private key is generated as a JSON file. Save it in your PC. You will need to copy its content into Secret JSON file content form field.

3. Delegate the service account that you have created for domain-wide authority. Follow the steps from Google documentation: https://developers.google.com/identity/protocols/oauth2/service-account#delegatingauthority .

4. You will need the following scopes for SAFEQ Cloud communication:

   • https://www.googleapis.com/auth/admin.directory.user.readonly

   • https://www.googleapis.com/auth/admin.directory.group.member.readonly

   • https://www.googleapis.com/auth/admin.directory.group.readonly

5. In the Google Workspace authentication provider form creation, enter the account name that has a super admin role (not service account name!) and paste the content of the JSON file you saved before. Make sure that the JSON file content is wrapped in curly braces { } when you paste it. Click Test to make sure it is working. You can also serialize JSON and paste it as a solid string in between { }.

This approach requires using admin account for service account to impersonate, the possible actions for this impersonation are limited by the scopes you entered for the domain-wide delegation. For more information, see this article by Google.

Check if Admin SDK API is enabled for your project, and if it’s not, enable it: choose your project and type in the search line “admin sdk”

if it is disabled, click Enable button

1. Click Save.

2. SAFEQ Cloud may now assign external user groups to roles in Access Control, as well as to Automation Rules.