Google-OIDC Integration Guide
Operational Scenarios
Google Cloud's OIDC-based Single Sign-On (SSO) provides a secure authentication method that allows users to access multiple services with a single identity.
Google OIDC supports both internal and external user access control (if not a Google Workspace user, the application can only be provided to external users).
Prerequisites
- Have a Google account
Operation Steps
Configure OAuth2.0 Client Application
-
Log in to Google Cloud Console
-
Access security settings; navigate to APIs & Services > OAuth consent screen.
-
Choose to create a project or use an existing project
-
Create an application under the project,Fill in the branding and audience informatio
-
Create an
OAuth2.0client,Configure redirect address
-
After creation, download the
OIDCrelated configuration for laterHAPconfiguration ofOIDCSingle Sign-On
HAP Integration with OIDC Single Sign-On
For detailed steps, refer to the HAP private deployment documentation How to Integrate Single Sign-On - OIDC.
-
Configure
sso.json, content as follows:
{
"mode": "common-oidc",
"name": "oidc",
"oidc": {
"clientId": "x-x.apps.googleusxx",
"clientSecret": "x-xxxyZwQgUtLSDL17Zpxxx",
"oidcUrl": "https://accounts.google.com/.well-known/openid-configuration",
"redirectUrl": "http://localhost:3000/oidc-redirect",
"responseTypes": "code",
"scope": "openid email profile",
"params": {
"UserId": "sub",
"Name": "name",
"Email": "email"
},
"autoRegister": true,
"projectId": ""
}
} -
Mount the
OIDCconfiguration file (as follows), then restart the service.- ./volume/sso/sso.json:/usr/local/MDPrivateDeployment/sso/OptionFile/sso.json -
Restart completed.
User SSO Login
-
Enter
{HAP}/orgsso/oidcor{HAP}/orgsso/ssoin the browser to log in. -
Log in to the organizational account and authorize.
-
Switch to an external user.
-
Access is prohibited.
