Wallaroo SSO for Google Cloud Platform

Enable SSO authentication to Wallaroo from Google Cloud Platform (GCP)

Organizations can use Google Cloud Platform (GCP) as an identity provider for single sign-on (SSO) logins for users with Wallaroo Enterprise.

IMPORTANT NOTE

These instructions are for Wallaroo Enterprise edition only.

To enable Google Cloud Platform (GCP) as an authentication provider to a Wallaroo instance:

Create GCP Credentials

To create the GCP credentials a Wallaroo instance uses to authenticate users:

Log into Google Cloud Platform (GCP) console.
From the left side menu, select APIs and Services -> Credentials.
Select + CREATE CREDENTIALS->Oauth client ID.
Set Application type to Web application.
Set the following options:
1. Name: The name for this OAuth Client ID.
2. Authorized redirect URIs: This will be a link back to the Keycloak endpoint URL in your Wallaroo instance in the format https://$PREFIX.keycloak.$SUFFIX/auth/realms/master/broker/google/endpoint.
  For example, if the Wallaroo prefix is silky-lions-3657 and the suffix is wallaroo.ai, then the Keycloak endpoint URL would be silky-lions-3657.keycloak.wallaroo.ai/auth/realms/master/broker/google/endpoint. For more information see the DNS Integration Guide.
When the Oauth client is created, the Client ID and the Client Secret will be displayed. Store these for the next steps.

Add GCP Credentials to Wallaroo

With the Client ID and Client Secret from Google, we can now add this to the Wallaroo instance Keycloak service.

IMPORTANT NOTE

Leaving the Hosted Domain value unset will allow any valid Google user to access the system. Set the Hosted Domain to restrict access to the desired Google domain such as wallaroo.ai. This must be a domain that is managed by Google. For more information, see the Keycloak Social Identity Providers documentation.

From the Wallaroo instance, login to the Keycloak service. This will commonly be $PREFIX.keycloak.$SUFFIX. For example, playful-wombat-5555.keycloak.wallaroo.ai.
Select Administration Console.
From the left navigation panel, select Identity Providers.
Select Add provider and select Google.
Enter the following:
1. Redirect URI: Verify this is the same endpoint defined in Create GCP Credentials.
2. Client ID: Use the Client id from Get GCP Credentials.
3. Client Secret: Use the Client secret from Get GCP Credentials.
4. Hosted Domain: The domain that the user’s will be logging in from. For example: wallaroo.ai.
5. Enabled: On
6. For the other settings, see the Keycloak Social Identity Providers documentation.

Once complete, log out of the Wallaroo instance and go back into the login screen. With the usual username and password screen should also be a google link at the bottom or whatever name was set for the identity provider.

Select it, then select which Google user account to use. As long the domain matches the one listed in Add Google Credentials to Keycloak, the login will succeed. The first time a user logs in through Google, Keycloak will create a new local user account based on the Google credentials.

Troubleshooting

I get the error “This app’s request is invalid”

Double check the Google credentials from Get GCP Credentials and verify that the Authorized redirect URIs matches the one in Keycloak. This can be verified from logging into Keycloak, selecting Identity Providers, selecting the Google identity provider and Redirect URI from the top line.