Google authentication

Misty Flowers

April 06, 2018 14:23

Google authentication lets site admins and portal users log into Finalsite using their Google credentials via the OAuth 2.0 protocol. Finalsite never stores Google passwords and only receives a confirmation token after users authenticate directly with Google. Staggered login must be enabled for all users when Google authentication is activated.

💡Quick answers

Does Finalsite store or access Google passwords when using Google authentication? No; Finalsite uses OAuth 2.0 and only receives a secure confirmation token after users authenticate directly with Google. No Drive, email, or other Google Workspace data is accessed.
What is staggered login and why is it required for Google authentication? Staggered login separates the username and password into two screens; it must be enabled for all users (admin and portal) when Google authentication is activated on a site.
What are the key requirements before Google authentication can be activated? All users in Google-authenticated roles must have corresponding Google accounts with matching primary email addresses, and the school must be using Composer (not Page Manager).
Which SIS integrations may conflict with Google authentication? Veracross, Senior Systems, and Renweb; users of those systems must authenticate via their SIS for SSO links to work, not via Google.
Is it possible to use Two Factor Authentication with Google authentication in Finalsite? Yes, as long as 2FA is already configured on the user's Google account before using it with Finalsite; it cannot be set up for the first time during the Finalsite login process.

Google authentication allows site users and admins to login to your website using their Google username and password.

This article describes how Google authentication works for users, and what’s required before a site can convert to using Google logins.

Security & data privacy

Does Finalsite have access to our Google data? No. The authentication process uses the OAuth 2.0 protocol, which ensures that the login transaction stays entirely within your Google environment.

No Credential Storage: Finalsite never sees or stores Google passwords.
Direct Authentication: Users authenticate directly with Google; Finalsite only receives a secure confirmation token once the user has successfully logged in.
Data Privacy: We do not have access to your school’s Drive files, emails, or other sensitive Workspace data. The integration is strictly used to verify the user's identity to grant access to the CMS.

User experience

All admin user logins to Finalsite websites are “staggered,” meaning that the username and password fields are on separate screens rather than having both fields displayed together and submitted with a single “log in” button.

In order to use Google Authentication, this staggered login process must be activated for all users, both admins and portal users.

For Google Authentication users

After submitting their Google username, Composer will pop open to the Google login form and prompt the user for their password. The user enters their Google password and is automatically redirected back to the site, where they’re logged in.

If the user has more than one Google account, they will be able to select which account they want to use to login to the website.

Update September 2022

Because of recent security updates to browsers, some users cannot use Google authentication to log into Finalsite without changing their browser security settings to make them less secure. The "redirect workflow" that Finalsite has used for Google authentication (allowing users to enter their Google credentials from the same browser tab instead of opening a popup) is no longer considered best practice due to cross-site cookies.

For other authentications

After submitting their website username, Composer displays a password field and prompts the user for their password. The user enters their website password and is logged into the site.

Requirements and exceptions

There are several requirements that websites must meet before Google Authentication can be activated:

The school must be using Composer; Google Authentication is not compatible with Page Manager.
All users in admin groups or roles set to Google Authentication must have a corresponding Google account.
- We also recommend having the Finalsite Username match the email address associated with the corresponding user's Google account to avoid any user confusion in the login process from having disparate usernames.
- Users' Primary Email Address needs to match the email address associated with the corresponding user's Google account.
- Fallback authentications (to allow Google-authenticated roles to use Finalsite authentication if Google is unavailable for some reason) are not currently available.
Some SIS integrations or SSO options may conflict with Google Authentication:
- For Veracross, Senior Systems, or Renweb, users MUST login using the SIS authentication in order for SSO links to work. Using Google to authenticate into Finalsite then trying to access one of these systems via an SSO will not work. (This may not affect site admins as much as it does portal users).
- It’s recommended that SSOs be configured to use the same username values as the Google authentication, whenever possible.
If a user's Google Account utilizes Two Factor Authentication (2FA), this will need to be configured for their account prior to using the authentication in Finalsite. In other words, the 2FA method must be set up already, it can't be configured during or after the Finalsite login process. This relates only to a user's setup of 2FA for their account; setting up 2FA requirements on the domain level should not impact the authentication with Finalsite.
Third-party authentication logs you into both Finalsite and Google. This means you must log out of both, if accessing on a public computer.

We recommend that any roles authenticating via Google have the ability to self-update passwords disabled in Constituent Manager > Roles > Settings.