Google Single Sign-On (E20)

Follow these steps to configure Mattermost to use Google as a Single Sign-on (SSO) service for team creation, account creation, and sign-in.

Note:

  • Google SSO is not yet supported in the Mattermost Mobile app. If you want to use Google SSO on mobile, you’ll have to build your own app.
  • The Google People API has replaced the Google+ API, which was deprecated by Google as of March 7th, 2019 per their notice at https://developers.google.com/+/api-shutdown.
  1. Go to Google API Manager, click Credentials in the left hand sidebar, click Create a project and enter “Mattermost - your-company-name” as the Project Name, then click Create.

../_images/google_1_credentials1.png

  1. In the Dashboard click the option to ENABLE APIS AND SERVICES.

../_images/google_enable_api1.png

Once in the API Library, scroll down to Google People API and click Enable in the header. This might take a few minutes to propagate through Google’s systems.

  1. Leave the Google+ API menu to return to the APIs & Services menu. In the left hand sidebar select Credentials, click the OAuth consent screen header and enter “Mattermost” as the Application Name, then click Save.

../_images/google_3_oauth_consent_screen1.png

Scroll further down to add your Mattermost instance to a list of authorized domains that can access the API. For example, if it is hosted on mattermost.yourdomain.com add yourdomain.com.

../_images/google_authorised_domains1.png

  1. Select Credentials and click Create credentials, then choose OAuth client ID from the drop-down list.

../_images/google_3_oauth_client_id1.png

  1. Select Web Application as the Application type, and choose a descriptive Name for the OAuth connection.

Under Restrictions > Authorized redirect URIs, enter your-mattermost-url/signup/google/complete (example: http://localhost:8065/signup/google/complete). Click Create.

../_images/google_4_web_app1.png

  1. Copy the Client ID and Client Secret, which will be used to configure Google SSO for Mattermost.

../_images/google_5_client_id_secret1.PNG

  1. In System Console > OAuth 2.0 > Select OAuth 2.0 service provider, choose Google Apps as the service provider and enter Client ID and Client Secret from step 6 in their respective fields.

Note:

  • You may also enter Client ID and Client Secret fields from step 6 directly in GoogleSettings section of config/config.json.
  • The following default values in GoogleSettings section of config/config.json are recommended:
    • Scope: profile email
    • AuthEndpoint: https://accounts.google.com/o/oauth2/v2/auth
    • TokenEndpoint: https://www.googleapis.com/oauth2/v4/token
    • UserApiEndpoint: https://people.googleapis.com/v1/people/me?personFields=names,emailAddresses,nicknames,metadata