Set up Google sign-in on the Login page – Smoothwall Help Centre

This article applies only to On-Premise Appliance, not to our Cloud products.

This article details how to set up Google authentication, so users can sign in using the Google sign-In button on the SSL and non-SSL Login pages.

Important

If the user’s device opens the Login page in a window that is not a web browser, the Google sign-in button won’t work.

Before you begin

Smoothwall Appliance settings

Ensure:

You have synced your Google Directory to Smoothwall.
The Smoothwall Appliance hostname is a valid FQDN (Fully Qualified Domain Name), not a short hostname.
You have a Web proxy authentication policy to Redirect users to non-SSL login page or Redirect users to SSL login page.
You have a Smoothwall access rule to Accept traffic for the Other web access on HTTPS (442) service.
You add a Web Filter policy to Do Not Filter the Google Authentication category.

User device settings

Ensure devices store session cookies for all browsers, as this is required for authentication to function.
To prevent a certificate error when trying to access the SSL Login page:
- Deploy a certificate to devices using a Group Policy or the getcert page.
- For BYO devices, use a certificate purchased from a real-world third-party Certificate Authority vendor. Clients automatically trust this certificate without needing to deploy to the device.
  1. Import the certificate.
  2. Go to System > Preferences > User interface. In the Certificates section, change the User-facing HTTPS services field to use the new certificate, then select Save.
Note

The certificate is not required if using the non-SSL Login page. However, this option is less secure because it uses HTTP to submit the username and password.

Step 1: Link your Smoothwall Appliance to Google

If you already have a client ID and client secret, you can find them in the Google API Console on the Credentials page. Alternatively, if you need to create these, follow the procedure.

Sign in to Google Auth Platform.
Create an OAuth 2.0 Client ID with the Application type of Web Application.
Note your Client ID and Client secret.
Add these items as Authorized JavaScript origins:
- If using the SSL Login page, enter https://proxy.smoothtest.com:442 where proxy.smoothtest is the hostname where users will sign in.
- The non-SSL Login page uses HTTP to submit the username and password, so it isn’t secure. If you are sure you need to use this method, enter a HTTP version of the URL without the port number. For example: http://proxy.smoothtest.com
- If you’ll be using both the SSL and non-SSL Login pages, add both.
Add these items as Authorized redirect URIs:
- If using the SSL Login page, enter the URL the Smoothwall Appliance will use to communicate with Google. This is the hostname and port number configured for Authorized JavaScript origins, with oauth2callback as the path. For example, https://proxy.smoothtest.com:442/oauth2callback
- If you are using the non-SSL Login page, enter the HTTP version of the Smoothwall URL without the port number. For example, http://proxy.smoothtest.com/oauth2callback
- If you’ll be using both the SSL and non-SSL Login pages, add both.

Step 2: Set up the Login page in Smoothwall Appliance

Go to Services > Authentication > Google.
Select the Google Sign-In button checkbox so users can sign in with Google instead of a username and password.
For Approved domains:
- Select the Allow logins from the following domains checkbox to only authenticate users from the domains you enter into the box.
  - If you allow browsing without authentication, users will be treated as Unauthenticated IPs.
  - If you redirect users to the Login page using your Web proxy authentication policies, users who don’t sign in using an approved domain can’t log in, authenticate or continue browsing.
- Don’t select the checkbox and leave the box blank to allow authentication for all domains.
Select the Remove domain name checkbox to change from displaying the full username including the domain (for example, g.mabo@example.com) to only the username (for example, g.mabo) on the User activity page.
Select the Validate user identity checkbox if you have selected the Google Sign-In button checkbox. Although you can have this checkbox selected and the Google Sign-In button checkbox clear, there is no reason to do so.
Enter the Client ID and Client Secret.

Note

These fields only appear when you select the Validate user identity checkbox.
Select Save changes.