Google Integration (Identity Provider)
Recollective can be integrated with Google as an identity provider to permit a secure single sign-on experience for one or more user roles. Follow the steps below to configure this integration as an Analyst in the Site Administration area of your Recollective site.
If you do not see the option to add Google to your site as an identity provider, please contact your account representative to learn more about our enterprise single sign-on options.
Step 1
- Login to your Recollective Site Administration area, i.e. https://yourdomain.recollective.com/admin
-
Navigate Settings and select Account Settings - Scroll down to the Identity Providers section.
- Press the Add Provider button and select Google from the menu
Step 2
- Customize the name and appearance of this identity provider to ensure it is easily recognized.
- Press Next to proceed to the Credentials tab.
Step 3
- Login to Google Cloud Platform and select APIs & Services and then Credentials, found at https://console.cloud.google.com/apis/credentials
- If an OAuth consent screen has already been configured select Create Credentials and proceed to Step 7 below.
- If not, select Configure Consent Screen
Step 4
- In OAuth consent screen:
- Select Internal if you are using your own domain.
- Select External if you wish to allow access to consumer to login (e.g. open to the gmail.com domain).
Step 5
- Register Recollective as an app (it can have any name)
- For Authorized Domains, add your own Google domain, not the Recollective domain.
- Once all information has been provided, select Save and Continue
Step 6
- The next step to defining the app is to add scoles
- Select and add the following scopes
- Email (.../auth/userinfo.email)
- Profile (.../auth/userninfo.profile)
- OpenID
- Once updated to include the requires scopes, select Save and Continue
Step 7
- Within Google Cloud Platform, return to the Credentials area
- Select the Create Credentials control and select OAuth client ID from the menu
Step 8
- Set the Application type to be Web application
- Enter a unique name for the client (e.g. "Recollective Integration")
- From Recollective, copy the Redirection URI shown on the Credentials tab of the Google Identity Provider dialog. Add it to the Authorized redirect URIs section as shown below.
- In Google, click Create to complete the creation of the OAuth client ID.
Step 9
- Once the credentials have been created within Google, a Client ID and Client Secret will be generated.
- Copy and paste the Client ID and Client Secret into Recollective (i.e. into the Credentials tab of the Google Identity Provider configuration dialog).
- In Recollective, press next to continue to the Configuration tab.
Step 10
Within Recollective, the Configuration tab allows restrictions to be imposed on the use of the identity provider and it determines how unrecognized user accounts should be handled.
- The Domain Restriction section allows the identity provider to be limited to select domains. Simply add one domain per line to create the restriction. You cannot add generic consumer domains such as gmail.com or googlemail.com.
- Note that domain restriction is required if you are limiting access to administrators and wish to have unrecognized users added automatically as an administrator.
- Under Role Usage, select which Recollective user roles should be permitted to use Google as their identity provider. For example, switch off Panelists if Google should only be available for to administrative roles.
- If Google will be reserved for administrators, a Visibility section will appear. Admins will have to provide their email or username on a login form before the Google integration will appear but you can use the visibility option to have Google appear immediately to all site visitors.
- Under Account Handling, options are provided to control how Google-authenticated users that are new to the Recollective site should be handled:
- The first option instructs Recollective to attempt a match by email address between the external Google account and any existing Recollective accounts.
- The second option controls how Recollective should be behave if no account can be matched, or email matching is not enabled. In this case, you can have unrecognized accounts trigger the addition of a new Recollective account. That account would be assigned the lowest user role enabled for the identity provider under Role Usage. Note that this option is only available if the identity provider is restricted to administrative roles.
Note that it is possible to add multiple Google identity providers to a single Recollective site. One integration may be domain restricted for use by admins while another is left open to all Gmail consumers.