Constraint: __Enterprise Licenses Only__\\
This plugin allows you to delegate access to OAuth ([https://en.wikipedia.org/wiki/OAuth]) providers. On the CrushFTP's login page next to the login button will appear the enabled provider's "__Signed in"__ button".\\
Currently __Google Sign-In__([Google Sign in Configuration]), __Microsoft Sign-In__([Microsoft Sign in Configuration]), __Azure Active Directory B2C Sign in__([Azure Active Directory B2C Configuration]) and __Amazon Cognito Sign in__([Amazon Cognito Configuration]) are supported.\\
\\
It only works through __HTTP__ or __HTTPS__ protocol. It requires an HTTP(S) port item with OAuth configuration.\\
[attachments|http_port_oauth_item_settings.png]\\
\\
!!Supported types:\\
!1. Google Sign-In\\
See [Google Sign in Configuration]\\
!2. Microsoft Sign-In\\
See [Microsoft Sign in Configuration]\\
!3. Azure Active Directory B2C\\
See [Azure Active Directory B2C Configuration]\\
!4. Amazon Cognito\\
See [Amazon Cognito Configuration]\\
\\
!!DMZ\\
\\
Configure your OAuth settings on the DMZ's HTTP or HTTPS port item.\\
\\
!!Plugin Settings\\
\\

__1.__ __Username matching__ -> It filters the OAuth user name (Google Auth: email address, Microsoft Auth: user principal name). Allow multiple values separated by a comma. Domain filter is allowed (like *mydomain.com).\\
\\
__2.__ __Allowed authentication types__:  Google Sign-In, Microsoft Sign-In, Azure Active Directory B2C Sign in and Amazon Cognito Sign. Configure the sign-in button on HTTP(S) server.\\
\\
__3.__\\
    __a.__ __Skip OTP processing__: CrushOAuth plugin is not compatible with [OTP Settings] as IDP (identity provider) can have its own two-factor authentication. Turning the flag to true will skip OAuth users from CrushFTP's OTP process.\\
    __b.__ __Remove email suffix from username__: It removes the email suffix of the user name. Like username "my_user@email.com" will be "my_user".\\
    __c.__ __Get Cognito user info__: Gets more info about Amazon Cognito users (like custom attributes). It is related only to __Amazon Cognito Sign in__.\\
\\
__4.__ OAuth only used for Authentication ([User Manager] defines user's access.) -> If users already exist in CrushFTP's User Manager, you can use the CrushOAuth plugin __just for authentication__.\\
\\
__5.__ __Template Username__ -> The signed-in user inherits not just the settings, but the VFS items too (as Linked [VFS]).
\\
__Import settings from CrushFTP user__ -> The signed-in user inherits just the settings from this user. __It must have a value! __Default value would be : __default__ -> the default user of CrushFTP\\
\\
__6__ __OAuth Roles__ -> You can configure different Template Users (see 5.) based on IDP's (identity provider) attributes.\\
IDP Attribute examples:\\
{{{

Google Sign-In:
email_verified, idp_user_info, given_name, family_name, email_verified, group

Microsoft Sign-In:
mail, idp_user_info, displayName, jobTitle, businessPhones, mobilePhone, officeLocation, group

Amazon Cognito Sign-in:
email, username, identities, cognito:username, cognito:groups, custom:<<defined custom attributes>>
}}}
Role examples :
{{{

<<IDP attribute name>>=<<IDP attribute value>>,<<IDP attribute name>>=<<IDP attribute value>> : tmeplate user name

Like:
cognito:groups=Azure_SAML,custom:groups:test_group_one
or
cognito:groups=*SAML*,custom:groups:test_group_one
or
cognito:groups=REGEX:.*SAML$,custom:groups:test_group_one 
}}}
\\
IDP attribute value: Exact match, Simple Match (like *mail.com*), Regex match (like REGEX:<<the regular expression>>), if the value is an array you can reference only one of the array element (exact match only). Like (IDP Attribute value -> __groups:[["group1","group2"]__ -> you can match with __group1__)\\
 \\
\\
__7.__ VFS-related settings -> You can set custom [VFS] for CrushOAuth users.\\
\\
[attachments|plugin_settings.png]\\
\\