# Authentication Providers
The **Authentication Providers** section allows you to configure **how users authenticate** in Gaio DataOS, combining traditional authentication, enhanced security, and third-party identity providers (SSO). These settings are **project-wide** and directly impact security, access governance, and user experience.
In this section, you can:
* Define global authentication policies.
* Enable or disable **Two-Factor Authentication (2FA).**
* Configure session timeout.
* Allow or restrict email/password login.
* Integrate **third-party authentication providers (SSO).**
### Authentication Settings
* Two-factor authenticator (Google Authenticator, Microsoft Authenticator, Authy, etc.)
* Adds an extra security layer to user login
* Based on time-based authenticator apps
* Strongly recommended for:
* Corporate environments
* Sensitive data projects
* Multi-user workspaces
* Session timeout (zero for infinite): Defines the maximum duration of an active session.
* Activate third party providers
* Enables external authentication providers
* Uses OAuth / identity federation standards
### Authentication Flow
User opens the login page\
→ Selects an available authentication method.\
→ (Optional) Completes 2FA validation.\
→ Session starts based on the configured timeout.
## Step-by-Step Guide to Obtain Google Credentials
### How to Create a Google Account to Use as an Authentication Provider
1. Access Google Cloud Console
1. Log in to the Google Cloud Console using the link:
2. Create a New Project
1. Click on **“Select a project”.**
2. A popup will open — click **“New Project”.**
3. You will be redirected to the project creation page.
4. Fill in:
* **Project name**
* **Organization location** (if applicable)
5. Click **“Create”**
3. Google Cloud Free Trial (Optional)
1. After creating the project, you may be redirected to the **“Start your free Google Cloud trial”** screen.
1. You can agree and continue
2. Choose whether the account will be:
* Organizational
* Personal
4. Access Google Auth Platform
1. Once your account is ready, go to:
1. In the **“All products”** list, find and click **“Google Auth Platform”**
2. On the main screen, under the **“Overview”** tab, click **“Get started”**
3. Fill out the form and create a new configuration
5. Create OAuth Client
1. After completing the setup, you will see a screen with:
1. **Metrics**
2. **Project Check-up**
* In this screen, under **Metrics**, click **“Create an OAuth client”.**
6. Configure OAuth Client
1. Set **Application type** to **Web application**
2. Define the **Application name**
3. Configure the following fields (you will need help from your developers):
* **Authorized JavaScript origins**
* **Authorized redirect URIs**
4. Click **“Create”**
7. Retrieve Client ID and Client Secret
1. A popup will appear showing the **Client ID.** Click **OK.**
2. Navigate to:
3. Select the client you just created
4. In the bottom-right corner, click **“+ Add secret”** (if one does not already exist)
5. Create a new secret
6. Copy and store securely:
* **Client ID**
* **Client Secret**
{% hint style="info" %}
These credentials will be used to configure Google as an authentication provider in your application (OAuth 2.0).
{% endhint %}
{% hint style="danger" %}
**Keep the Client Secret secure and never expose it in public repositories.**
{% endhint %}
## Microsoft Entra ID (Azure AD) — Step-by-step to get OAuth credentials (Client ID + Client Secret)
#### What you will obtain
* **Tenant ID** (Directory ID)
* **Client ID** (Application ID)
* **Client Secret** (Secret Value)
* **Redirect URI(s)** (Callback URL(s)) configured for your app
These are the typical values required to configure Microsoft as an authentication provider.
1. Access the Microsoft Entra admin center
1. Open the Microsoft Entra admin center (Entra portal).
2. Sign in with an account that can create app registrations (typically **Application Developer** or higher).
2. Create a new App Registration
1. Go to: **Entra ID → App registrations**
2. Click **New registration**
3. Fill in:
* **Name**: a recognizable name for your application (e.g., `Gaio Auth Provider`)
* **Supported account types**: choose based on your scenario (most internal business cases use “Accounts in this organizational directory only”)
4. Click **Register**
3. Copy the required IDs (Client ID and Tenant ID)
1. After registration, on the app **Overview** page:
1. Copy **Application (client) ID** → this is your **Client ID**
2. Copy **Directory (tenant) ID** → this is your **Tenant ID**
4. Configure the Redirect URI (Callback URL)
1. This step ensures Microsoft can redirect the user back to your application after sign-in.
1. In the left menu, go to **Authentication**
2. Click **Add a platform**
3. Choose **Web**
4. Under **Redirect URIs**, add the callback URL(s) provided by your developers (must match your app domain/routes)
5. Save your changes
2. Developer input required
1. Your team must provide:
* The exact **Redirect URI(s)** used by your frontend/backend sign-in callback routes
* If applicable, the correct environment URLs (prod/staging/local)
5. Create a Client Secret
1. In the left menu, go to **Certificates & secrets**
2. Under **Client secrets**, click **New client secret**
3. Enter:
* **Description**
* **Expiration**
4. Click **Add**
5. Copy the **Value** immediately (this is the **Client Secret**) — it will not be shown again after you leave the page
6. Save your credentials securely
1. Store these values in your secrets manager or environment variables:
* `TENANT_ID` = Directory (tenant) ID
* `CLIENT_ID` = Application (client) ID
* `CLIENT_SECRET` = Secret Value
* `REDIRECT_URI` = the same redirect URI configured in Authentication
### Best Practices
* Always enable **2FA** for sensitive or enterprise environments.
* Configure an appropriate **session timeout.**
* Prefer **SSO providers** for corporate projects.
* Disable conventional login if only SSO is required.
* Periodically review authentication policies.
