Configuration Manual/Google Integration
Contents |
Overview
This article describes the configuration required for integration with Google APIs.
 | This is Premium functionality. Learn more about the benefits of Openbravo's commercial editions |
Google Accounts
Starting from Openbravo 3.0MP2 you have the ability to log-in into an Openbravo instance using your Google Account.
You have the ability to log-on to an Openbravo instance using your Google Account. There are two ways to use the Google Accounts authentication service:
- Link an existing Openbravo user name with a Google Account
- Configure an instance to allow any user with a Google Account to log-in into the application. If no Openbravo user is linked to that Google Account, a new one is created using defaults.
| | You need to be aware of the security implications of enabling the second option. This feature is offered for public instances like demo.openbravo.com where the data is public, or for an instance behind a corporate firewall that is not public accessible. DO NOT ENABLE DEFAULT SETTINGS FOR NEW USERS IF YOUR INSTANCE IS PUBLIC ACCESSIBLE |
Google Account association
- Login with your existing Openbravo user
- Open the Google Account Association process
- Click OK
- Allow your instance to access your Google Account.
- Note: The authentication only requests: Name, Last name, Email
- The application host-name (Localhost) will change based on your instance address
- You must check "Remember this approval" to avoid being asked every time you try to log-in
- Process completed
- You can log-out and, log-in again using the 'G' button.
Remove Association
- The user can Revoke Access from his Google Account settings
- The Client Administrator can remove the record of the association User window > OpenID Identifier tab
Google Integration Preferences
New User Defaults
| | Remember: DO NOT ENABLE THIS FEATURE IF YOUR APPLICATION IS PUBLIC ACCESSIBLE |
As explained in the section introduction Google_Accounts you can define some default role for your Client. This default role is the one that will be used to create a new user if the Google Account doesn't have any other user associated.
- Open: Google Integration Preferences
- Create a new record
- Pick the most restrictive role you have.
- Note: If you want to restrict the access, you should configure a role that only allows the user to log-in. After the user creation the authentication process, the Client Administrator can define more roles for the user.
- New User Active: If the newly created user should be active by default or not.
- Default: If you have several roles configured, just the default one will be used
After configuring this default preferences, any user with a Google Account can log-in into the application. If no Openbravo user is associated a new one is created with the default previously defined.
Server Configuration
Apache Tomcat configuration
| | This configuration is only required if your made a Custom Installation |
URIEncoding: This specifies the character encoding used to decode the URI bytes, after %xx decoding the URL. If not specified, ISO-8859-1 will be used.
The default encoding for parameters in Apache Tomcat is ISO-8859-1 and that leads to this error:
ERROR org.openid4java.consumer.ConsumerManager - Verification failed for: https://www.google.com/accounts/o8/id?id=SomeToken reason: null ERROR org.openbravo.service.integration.google.GoogleAuthServlet - Error processing return of Google Auth Service:null
The solution is to set the encoding to UTF-8 in your connectors (depending on which one you're using)
- http://tomcat.apache.org/tomcat-6.0-doc/config/ajp.html
- http://tomcat.apache.org/tomcat-6.0-doc/config/http.html
Example (server.xml):
<Connector URIEncoding="UTF-8" connectionTimeout="20000" port="8080" protocol="HTTP/1.1" redirectPort="8443"/>
More information at openid4java forum post
Disabling Google integration
Professional Instances
You just need to create a new Preference with the property
- As System Administrator
- Open the Preference window
- Create a new Preference and pick the property: Enable Google button in Login Page
- Set the value to: N
Community Instances
If the integration with Google accounts is not required in your deployment you can disable this module.
To do it, as System Administrator, go to Application Dictionary || Module, select the module Integration with Google APIs and uncheck the field Enabled. Go to the login page and you can see that the sign in option with Google is not available.