Locktera OAuth 2.0 Integration with Microsoft and GoogleCopied!

Locktera supports OAuth 2.0 integration with Microsoft and Google, allowing users to authenticate securely via their existing Microsoft or Google accounts. This integration simplifies login processes for end-users by enabling Single Sign-On (SSO) with two of the most widely-used identity providers. This document covers how to configure and integrate Locktera with Microsoft and Google OAuth 2.0 for streamlined user authentication.

Key Features of OAuth 2.0 Integration

• Single Sign-On (SSO): Users can log in to Locktera using their Microsoft or Google credentials without needing to create or manage separate usernames and passwords.

• Simplified User Management: Leverage the existing identity management infrastructure of Microsoft Azure Active Directory (Azure AD) or Google Workspace to manage users, permissions, and access.

• Enhanced Security: OAuth 2.0 offers secure access delegation and token-based authentication, ensuring that credentials are never shared between services.

• Compliance: Using trusted identity providers ensures alignment with security policies and compliance regulations, reducing the burden on IT teams.

Prerequisites

Before setting up OAuth 2.0 integration, make sure the following requirements are met:

1. Administrative Access: You need administrative access to Locktera and either Microsoft Azure Active Directory (Azure AD) or Google Workspace.

2. OAuth Client Setup: You need to create OAuth 2.0 credentials (Client ID and Client Secret) in the respective identity provider (Azure AD or Google).

3. Locktera Configuration Access: You must have permissions within Locktera to configure the authentication methods.

Setting Up Microsoft OAuth 2.0 IntegrationCopied!

Step 1: Register Locktera in Azure Active Directory

To enable Microsoft OAuth 2.0 for Locktera, follow these steps:

1. Log in to Azure Portal: Go to the Azure Active Directory portal and log in with an admin account.

2. Create a New App Registration:

   • Navigate to Azure Active Directory > App registrations > New registration.

   • Enter a name for the application (e.g., Locktera SSO).

   • Set Supported account types to "Accounts in this organizational directory only" or the desired scope.

   • In the Redirect URI section, select Web and enter the following URL:

     • For general users: https://share.locktera.com/oauth/callback

     • For UK-based users: https://uk.locktera.com/oauth/callback

   • Click Register.

3. Get Client ID and Tenant ID:

   • After the app is registered, navigate to the Overview section to find the Application (client) ID and Directory (tenant) ID. These will be required later for Locktera configuration.

4. Create a Client Secret:

   • Go to Certificates & Secrets > New client secret.

   • Add a description and set the expiration period (e.g., 1 year or 2 years).

   • After creation, copy the Client Secret. You will not be able to view it again, so store it securely.

5. Set API Permissions:

   • Navigate to API Permissions and add the following permissions:

     • Microsoft Graph > Delegated permissions: email, openid, profile, and User.Read.

   • Grant admin consent to the permissions.

Step 2: Configure Locktera for Microsoft OAuth

Once the Azure AD app is created and configured, follow these steps to complete the setup in Locktera:

1. Log in to Locktera as an administrator.

2. Navigate to Settings > Authorization Methods > OAuth 2.0.

3. Select Microsoft as the identity provider and enter the following information:

   • Client ID: The Application (client) ID from Azure.

   • Client Secret: The secret key generated in Azure AD.

   • Tenant ID: The Directory (tenant) ID from Azure AD.

   • Authorization URL: https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/authorize

   • Token URL: https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/token

4. Test Connection: Use the provided test button to ensure that Locktera can authenticate with Azure AD successfully.

5. Save Changes.

Setting Up Google OAuth 2.0 IntegrationCopied!

Step 1: Create OAuth Credentials in Google Cloud Console

To configure Google OAuth 2.0, you need to create credentials in the Google Cloud Console:

1. Log in to Google Cloud Console: Go to the Google Cloud Console and log in with your admin account.

2. Create a New Project:

   • If you don’t have an existing project, click Select Project > New Project and name it (e.g., Locktera SSO).

3. Enable OAuth Consent Screen:

   • Go to APIs & Services > OAuth consent screen.

   • Select Internal or External based on your organization's needs.

   • Fill in the required fields such as App name, User support email, and Authorized domains(locktera.com).

4. Create OAuth Credentials:

   • Navigate to APIs & Services > Credentials > Create Credentials > OAuth 2.0 Client IDs.

   • Set Application type to Web application.

   • In the Authorized redirect URIs section, enter:

     • For general users: https://share.locktera.com/oauth/callback

     • For UK-based users: https://uk.locktera.com/oauth/callback

   • Click Create to generate a Client ID and Client Secret.

5. Copy Credentials:

   • Once created, copy the Client ID and Client Secret. These will be needed for Locktera configuration.

Step 2: Configure Locktera for Google OAuth

With the Google OAuth credentials ready, you can now configure Locktera:

1. Log in to Locktera as an administrator.

2. Go to Settings > Authorization Methods > OAuth 2.0.

3. Select Google as the identity provider and enter the following information:

   • Client ID: The Client ID from Google Cloud.

   • Client Secret: The secret key from Google Cloud.

   • Authorization URL: https://accounts.google.com/o/oauth2/v2/auth

   • Token URL: https://oauth2.googleapis.com/token

4. Test Connection: Use the provided test button to ensure that Locktera can authenticate with Google successfully.

5. Save Changes.

Using OAuth 2.0 for Locktera Login

Once OAuth 2.0 integration with Microsoft or Google is configured, users will be able to log in to Locktera using their Microsoft or Google accounts.

Login Flow:

1. Navigate to Locktera: Users access the Locktera login page at https://share.locktera.com or https://uk.locktera.com.

2. Select a Provider: Users will see login buttons for Microsoft or Google, based on the options configured by the administrator.

3. Authenticate: Clicking the provider will redirect users to Microsoft or Google to authenticate using their existing credentials.

4. Access Granted: After successful authentication, users are redirected back to Locktera and granted access based on their assigned roles and permissions.

Security Considerations

• Token Expiration: OAuth 2.0 tokens have expiration periods. Locktera will handle token refresh automatically, but users may need to re-authenticate after extended inactivity.

• Multi-Factor Authentication (MFA): If MFA is enabled in your Microsoft or Google account, it will be enforced during the OAuth 2.0 login flow.

• Revoking Access: Administrators can revoke access tokens or OAuth credentials in Microsoft Azure or Google Cloud Console if a security incident occurs.

Troubleshooting

1. Invalid Client ID or Secret

• Ensure that the correct Client ID and Client Secret are entered into Locktera's OAuth settings. If needed, regenerate credentials in Azure AD or Google Cloud Console.

2. Failed Authorization

• Check that the redirect URIs in the OAuth settings match the exact URL format used in Microsoft or Google.

• Confirm that the app permissions (e.g., email, profile) are granted in Azure AD or Google Workspace.

3. Users Unable to Log In

• Ensure that the correct OAuth 2.0 providers are enabled and visible on the Locktera login page.

• Verify user permissions in both Locktera and the identity provider to ensure users have the necessary access.

FAQs

Q1: Can I enable both Microsoft and Google OAuth simultaneously?

A: Yes, you can enable both Microsoft and Google as OAuth 2.0 providers. Users will have the option to choose their preferred provider during login.

Q2: How do I enforce OAuth 2.0 exclusively for all users?

A: You can disable other authentication methods (e.g., email login) in the Locktera settings and enable only OAuth 2.0 for Microsoft and Google.

Q3: Can I restrict access to certain domains (e.g., company emails)?

A: Yes, you can configure domain restrictions in Azure AD and Google Workspace to limit access only to users from specific domains.