Versions Compared

Old Version 10

changes.mady.by.user Olivier Michaut

Saved on

compared with

New Version 11

changes.mady.by.user Olivier Michaut

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Panel

Table of Contents

Overview

Assuming the following service configuration on the UDMG Authentication Proxy, the below sections describe how to add the google, openid, and oauth provider as options for user authentication.

...

For OpenID and Oauth2, other identity providers can be configured, provided that the needed configuration parameters are known.


Example with Google OAuth

Before you begin


The Redirect URI (or callback URI) must be determined.

It will be in the form https://<FQDN>:<PORT>/service/auth/sso/google/callback, where FQDN and PORT are the name and port for the host where the UDMG Authentication Proxy and NGINX server are installed.

For example https://udmg.stonebranch.com:8080/service/auth/sso/google/callback.

Configuration on Google Cloud

...

https://developers.google.com/chat/api/guides/auth/users#step_3_create_oauth_client_id_credentials_in

Configuration on UDMG

To configure the SSO Google integration on UDMG Authentication Proxy, follow these steps.

  • Create a google provider section in the configuration file for a service, for example here for the service sso:
Code Block
languagetext
[service.sso.auth.google]
file = "udmg-sso-google.json"

...

Note

If you are going to use a public domain, like @gmail.com, don't setup the hostedDomains, since the hd parameter in the callback will be empty.

  • Restart the UDMG Auth Proxy.
  • The google provider is now available for the sso service on UDMG Admin UI login page

Example with OpenID Provider

Before you begin


The Redirect URI (or callback URI) must be determined.

It will be in the form https://<FQDN>:<PORT>/service/auth/sso/openid/callback, where FQDN and PORT are the name and port for the host where the UDMG Authentication Proxy and NGINX server are installed.

For example https://udmg.stonebranch.com:8080/service/auth/sso/openid/callback.

Configuration on UDMG

To configure the SSO OpenID integration on UDMG Authentication Proxy, follow these steps.

  • Create a oidc provider section in the configuration file for a service, for example here for the service sso:
Code Block
languagetext
[service.sso.auth.oidc]
file = "udmg-sso-openid.json"

...

Code Block
languagetext
{
    "issuer": "https://accounts.google.com",
    "clientID": "<client-id>",
    "clientSecret": "<client-secret-id>",
    "redirectURI": "https://udmg.stonebranch.com:8080/service/auth/sso/openid/callback"
}
  • Restart the UDMG Auth Proxy.
  • The openid provider is now available for the sso service on UDMG Admin UI login page


Reference:

https://console.cloud.google.com/apis/credentials

https://developers.google.com/identity/openid-connect/openid-connect

Example with OAuth2 Provider

Before you begin


The Redirect URI (or callback URI) must be determined.

It will be in the form https://<FQDN>:<PORT>/service/auth/sso/openid/callback, where FQDN and PORT are the name and port for the host where the UDMG Authentication Proxy and NGINX server are installed.

For example https://udmg.stonebranch.com:8080/service/auth/sso/openid/callback.


Configuration on OAuth2 identity provider

The following parameters must be known

  • Client ID
  • Client Secret
  • token URL
  • authorization URL
  • User Info URL

Scope and user email

The user email is needed for the identification of the user record in UDMG and must be returned by the identity provider.

The specific required scope depends on the identity provider.

In the case of OAuth2 with Google Cloud Provider, it is required to grant additional scopes for that purpose.

...

  • After clicking Update the scopes, they are listed under Your non-sensitive scopes

Configuration on UDMG

To configure the SSO OAuth integration on UDMG Authentication Proxy, follow these steps.

  • Create an oauth provider section in the configuration file for a service, for example here for the service sso:
Code Block
languagetext
[service.sso.auth.oauth]
file = "udmg-sso-oauth.json"

...

Code Block
languagejs
{
    "issuer": "https://accounts.google.com",
    "clientID": "<client-id>",
    "clientSecret": "<client-secret-id>",
    "redirectURI": "https://udmg.stonebranch.com:8080/service/auth/sso/oauth/callback",
    "tokenURL": "https://oauth2.googleapis.com/token",
    "authorizationURL": "https://accounts.google.com/o/oauth2/auth",
    "scopes": ["profile"],
    "insecureSkipVerify": true,
    "userInfoURL": "https://www.googleapis.com/oauth2/v3/userinfo",
    "userIDKey": "sub"
}
  • Restart the UDMG Auth Proxy.
  • The oauth provider is now available for the sso service on UDMG Admin UI login page

Reference:

https://developers.google.com/identity/protocols/oauth2/scopes#oauth2