SSO with Google, OpenID, and OAuth2 Identity Providers
Overview
Assuming the following service configuration on the UDMG Authentication Proxy, the below sections describe how to add the Google, OpenID, and OAuth Providers as options for user authentication.
[service.sso] protocol = "http" policy = "failover" [service.sso.credential] username = "user" password = "password" [[service.sso.targets]] hostname = "udmg.stonebranch.com" port = 18080
All the examples assume that Google Cloud is the Identity Provider.
For OpenID, OAuth2, and other Identity Providers can be configured, provided that the needed configuration parameters are known.
Example with Google OAuth
Before you begin
The Redirect URI (or callback URI) must be determined.
It will be in the form https://<FQDN>:<PORT>/service/auth/sso/google/callback, where FQDN and PORT are the name and port for the host where the UDMG Authentication Proxy and NGINX server are installed.
For example, https://udmg.stonebranch.com/service/auth/sso/google/callback.
Configuration on Google Cloud
Step 1 | Create a New Project under your Google account: https://console.cloud.google.com/projectcreate |
---|---|
Step 2 | Create a new Credentials for the service: https://console.cloud.google.com/apis/credentials
|
Step 3 | Set the application type to: Web Application. |
Step 4 | Under the Authorized redirect URIs, enter the value for UDMG Authentication Proxy callback URI. |
Step 5 | Click the Create button. |
Step 6 | Keep the client id, the client secret and the JSON file for reference. This is needed to complete the setup on UDMG. |
Reference:
Configuration on UDMG
To configure the SSO Google integration on UDMG Authentication Proxy, follow these steps.
Step 1 | Create a Google Provider section in the configuration file for a service. For example, here for the service sso: [service.sso.auth.google] file = "udmg-sso-google.json" |
---|---|
Step 2 | Add a file parameter with a filename, for example |
Step 3 | Create the configuration file in the same location as the UDMG Authentication Proxy configuration file. |
Step 4 | Fill in the clientID and clientSecret with the values from the setup on Google Cloud. |
Step 5 | Set the redirectURI with the callback URI for the UDMG Authentication Proxy. |
Step 6 | Set the hostedDomain to the list of white listed domains on Google Apps. { "clientID": "client-id", "clientSecret": "client-server", "redirectURI": "https://udmg.stonebranch.com/service/auth/sso/google/callback", "hostedDomains": ["domain.com"] } If you are going to use a public domain, like @gmail.com, don't setup the hostedDomains, since the hd parameter in the callback will be empty. |
Step 7 | Restart the UDMG Auth Proxy. |
Step 8 | The Google Identity Provider is now available for the SSO service on UDMG Admin UI login page. |
Example with OpenID Provider
Before you begin
The Redirect URI (or callback URI) must be determined.
The form is https://<FQDN>:<PORT>/service/auth/sso/openid/callback; FQDN and PORT are the name and port for the host where the UDMG Authentication Proxy and NGINX server are installed.
For example, https://udmg.stonebranch.com:8080/service/auth/sso/openid/callback.
Configuration on UDMG
To configure the SSO OpenID integration on UDMG Authentication Proxy, follow these steps.
Step 1 | Create a OIDC Provider section in the configuration file for a service. For example, here for the service SSO: [service.sso.auth.oidc] file = "udmg-sso-openid.json" |
---|---|
Step 2 | Add a file parameter with a filename, for example |
Step 3 | Create this configuration file in the same location as the UDMG Authentication Proxy configuration file. |
Step 4 | Fill in the clientID and clientSecret with the values from the setup on Google Cloud. |
Step 5 | Set the redirectURI with the callback URI for the UDMG Authentication Proxy. { "issuer": "https://accounts.google.com", "clientID": "<client-id>", "clientSecret": "<client-secret-id>", "redirectURI": "https://udmg.stonebranch.com/service/auth/sso/openid/callback" } |
Step 6 | Restart the UDMG Auth Proxy. |
Step 7 | The OpenID Identity Provider is now available for the SSO service on UDMG Admin UI login page. |
Reference:
https://console.cloud.google.com/apis/credentials
https://developers.google.com/identity/openid-connect/openid-connect
Example with OAuth2 Provider
Before you begin
The Redirect URI (or callback URI) must be determined.
The form is https://<FQDN>:<PORT>/service/auth/sso/openid/callback; FQDN and PORT are the name and port for the host where the UDMG Authentication Proxy and NGINX server are installed.
For example, https://udmg.stonebranch.com/service/auth/sso/openid/callback.
Configuration on OAuth2 Identity Provider
The following parameters must be known:
- Client ID
- Client Secret
- Token URL
- Authorization URL
- User Info URL
Scope and User Email
The user email is needed for the identification of the user record in UDMG and must be returned by the Identity Provider.
The specific required scope depends on the Identity Provider.
In the case of OAuth2 with Google Cloud Provider, it is required to grant additional scopes for that purpose.
Step 1 | On Google Cloud console, go to OAuth consent screen and click EDIT APP. |
---|---|
Step 2 | Under the Scopes section, click ADD OR REMOVE SCOPES.
|
Step 3 | Grant the following scopes and click Update selected scopes. |
Step 4 | View your selected scopes under Your non-sensitive scopes. |
Configuration on UDMG
To configure the SSO OAuth integration on UDMG Authentication Proxy, follow these steps.
Step 1 | Create an OAuth Provider section in the configuration file for a service, for example here for the service SSO: [service.sso.auth.oauth] file = "udmg-sso-oauth.json" |
---|---|
Step 2 | Add a file parameter with a filename, for example |
Step 3 | Create this configuration file in the same location as the UDMG Authentication Proxy configuration file. |
Step 4 | Fill in the clientID and clientSecret with the values from OAuth Identity Provider. |
Step 5 | Set the redirectURI with the callback URI for the UDMG Authentication Proxy. |
Step 6 | Set the tokenURL, authorizationURL and userInfoURL with the values from OAuth Identity Provider. { "clientID": "<client-id>", "clientSecret": "<client-secret-id>", "redirectURI": "https://udmg.stonebranch.com/service/auth/sso/oauth/callback", "tokenURL": "https://oauth2.googleapis.com/token", "authorizationURL": "https://accounts.google.com/o/oauth2/auth", "scopes": ["profile"], "insecureSkipVerify": true, "userInfoURL": "https://www.googleapis.com/oauth2/v3/userinfo", "userIDKey": "sub" } |
Step 7 | Restart the UDMG Auth Proxy. |
Step 8 | The OAuth Identity Provider is now available for the SSO service on UDMG Admin UI login page. |
Reference: