Organizations can use Google Cloud Platform (GCP) as an identity provider for single sign-on (SSO) logins for users with Wallaroo Enterprise.
To enable Google Cloud Platform (GCP) as an authentication provider to a Wallaroo instance:
To create the GCP credentials a Wallaroo instance uses to authenticate users:
Log into Google Cloud Platform (GCP) console.
From the left side menu, select APIs and Services -> Credentials.
Select + CREATE CREDENTIALS->Oauth client ID.
Set Application type to Web application.
Set the following options:
Name: The name for this OAuth Client ID.
Authorized redirect URIs: This will be a link back to the Keycloak endpoint URL in your Wallaroo instance in the format https://$PREFIX.keycloak.$SUFFIX/auth/realms/master/broker/google/endpoint
.
For example, if the Wallaroo prefix is silky-lions-3657
and the suffix is wallaroo.ai
, then the Keycloak endpoint URL would be silky-lions-3657.keycloak.wallaroo.ai/auth/realms/master/broker/google/endpoint
. For more information see the DNS Integration Guide.
When the Oauth client is created, the Client ID and the Client Secret will be displayed. Store these for the next steps.
With the Client ID and Client Secret from Google, we can now add this to the Wallaroo instance Keycloak service.
wallaroo.ai
. This must be a domain that is managed by Google. For more information, see the Keycloak Social Identity Providers documentation.From the Wallaroo instance, login to the Keycloak service. This will commonly be $PREFIX.keycloak.$SUFFIX. For example, playful-wombat-5555.keycloak.wallaroo.ai
.
Select Administration Console.
From the left navigation panel, select Identity Providers.
Select Add provider and select Google.
Enter the following:
wallaroo.ai
.Once complete, log out of the Wallaroo instance and go back into the login screen. With the usual username and password screen should also be a google
link at the bottom or whatever name was set for the identity provider.
Select it, then select which Google user account to use. As long the domain matches the one listed in Add Google Credentials to Keycloak, the login will succeed. The first time a user logs in through Google, Keycloak will create a new local user account based on the Google credentials.
Double check the Google credentials from Get GCP Credentials and verify that the Authorized redirect URIs matches the one in Keycloak. This can be verified from logging into Keycloak, selecting Identity Providers, selecting the Google identity provider and Redirect URI from the top line.