Google authentication allows site users and admins to login to your website using their Google username and password.
This article describes how Google authentication works for users, and what’s required before a site can convert to using Google logins.
In this Article
User experience
All admin user logins to Finalsite websites are “staggered,” meaning that the username and password fields are on separate screens rather than having both fields displayed together and submitted with a single “log in” button.
In order to use Google Authentication, this staggered login process must be activated for all users, both admins and portal users.
For Google Authentication users
After submitting their Google username, Composer will pop open to the Google login form and prompt the user for their password. The user enters their Google password and is automatically redirected back to the site, where they’re logged in.
If the user has more than one Google account, they will be able to select which account they want to use to login to the website.
Update September 2022: Because of recent security updates to browsers, some users cannot use Google authentication to log into Finalsite without changing their browser security settings to make them less secure. The "redirect workflow" that Finalsite has used for Google authentication (allowing users to enter their Google credentials from the same browser tab instead of opening a popup) is no longer considered best practice due to cross-site cookies.
As such, effective September 19, 2022, Finalsite will change the authentication workflow from "redirect" to "popup." This change means that users authenticating with Google will see a popup window rather than being redirected to the authentication screen in the current tab. Doing so ensures that browsers will not block the cookies needed to allow the user to authenticate into Google and Finalsite.
For other authentications
After submitting their website username, Composer displays a password field and prompts the user for their password. The user enters their website password and is logged into the site.
Requirements and exceptions
There are several requirements that websites must meet before Google Authentication can be activated:
-
The school must be using Composer; Google Authentication is not compatible with Page Manager.
-
All users in admin groups or roles set to Google Authentication must have a corresponding Google account.
-
We also recommend having the Finalsite Username match the email address associated with the corresponding user's Google account to avoid any user confusion in the login process from having disparate usernames.
-
Users' Primary Email Address needs to match the email address associated with the corresponding user's Google account.
-
Fallback authentications (to allow Google-authenticated roles to use Finalsite authentication if Google is unavailable for some reason) are not currently available.
-
-
Some SIS integrations or SSO options may conflict with Google Authentication:
-
For Veracross, Senior Systems, Blackbaud On, or Renweb, users MUST login using the SIS authentication in order for SSO links to work. Using Google to authenticate into Finalsite then trying to access one of these systems via an SSO will not work. (This may not affect site admins as much as it does portal users).
-
It’s recommended that SSOs be configured to use the same username values as the Google authentication, whenever possible.
-
-
If a user's Google Account utilizes Two Factor Authentication (2FA), this will need to be configured for their account prior to using the authentication in Finalsite. In other words, the 2FA method must be set up already, it can't be configured during or after the Finalsite login process. This relates only to a user's setup of 2FA for their account; setting up 2FA requirements on the domain level should not impact the authentication with Finalsite.
-
Third-party authentication logs you into both Finalsite and Google. This means you must log out of both, if accessing on a public computer.
We recommend that any roles authenticating via Google have the ability to self-update passwords disabled in Constituent Manager > Roles > Settings.
Comments
Please Sign in to leave a comment if you don't see the comment box below.