As a followup, I’ve installed the plugin and I am able to login using my Google Apps account. So, it does appear to work.
It looks like you can only have a single group within FarCry that all users who login are assigned to, is that really correct? I need to be able to have two separate groups of users managed completely in Google Apps and when they login, FarCry maps their Google Group assignments to FarCry groups similar to how the LDAP plugin works. Any thoughts?
Yeah it doesn’t appear to. I may have to manually query the API for the groups membership in just the app where this matters. We can then manually manage FC group membership for Google UD users, at least theoretically.
While I have you, now that the plugin is installed, I cannot get to the Webtop login screen. So I am unable to choose either CLIENTUD or GUD. It seems the plugin has taken over and using CLIENTUD is no longer available. If I log out, I am taken to the Google “Choose your account” screen instead of the webtop login screen. Even clearing cookies doesn’t help. Am I missing a setting somewhere?
Re Google oAuth 2 – we definitely need to make sure that’s going. I’m not sure what needs to be changed from the plugin side – I’ve set up some recently without complaint from Google so it may be just the google api account set up that needs attention.
If you stumble across something let us know in the issue comments, and we’ll do our best to fix ASAP.
You may have inadvertently placed Google oauth as the primary user directory. As it’s an automated login you never get a choice from that point on.
You can put a url variable on the login url to nominate a specific user directory, or remove the plugin temporarily and set the config for security to CLIENTUD as the default, rather than defaulting to the first user directory found.
Hmmm… So everyone who logs in with an email on a given domain must all be members of the same group? I see no way to map a user to a FarCry group, so everyone gets the same permissions? That can’t be right. I must be missing something.
If that is the case then people who are sysadmins or siteadmins would have to use a CLIENTUD account and there would be no way to restrict regular users from accessing areas of the webtop they should not have access to.
Geoff you say Daemon uses it, does everyone at Daemon get the same rights once they are logged into the webtop??
You set a default group for new profiles, and can then manually promote uses to whatever roles you need. The initial group/role assignment only occurs the first time a user logs in, ie. When the dmProfile content item is created.
Ideally the Google auth event would send back some group information, or at least an additional call back to the api could establish the group membership. But the plugin doesn’t do this at the moment.
As Geoff says, the Google UD was built to automatically map users to a default group based on domain name (usually a companies own domain name when they use Google Apps for business) so this can quickly and easily let users be authenticated using Goole oAuth.
We commonly use this for access to client webtops without having to manage accounts in each application.
You can create additional gudGroups and assign users to them and those groups can be mapped to roles as per usual. This is probably fine if you don’t have a large number of different user/roles combinations to deal with.
I’m not sure about querying group membership from Google (perhaps that could be done via the Directory API?) but the plugin wasn’t built with this in mind.