Wallaroo SSO for Google Cloud Platform

Enable SSO authentication to Wallaroo from Google Cloud Platform (GCP)

Organizations can use Google Cloud Platform (GCP) as an identity provider for single sign-on (SSO) logins for users with Wallaroo Enterprise.

IMPORTANT NOTE

These instructions are for Wallaroo Enterprise edition only.

To enable Google Cloud Platform (GCP) as an authentication provider to a Wallaroo instance:

Create GCP Credentials

To create the GCP credentials a Wallaroo instance uses to authenticate users:

Log into Google Cloud Platform (GCP) console.
From the left side menu, select APIs and Services -> Credentials.
Select + CREATE CREDENTIALS->Oauth client ID.
Set Application type to Web application.
Set the following options:
1. Name: The name for this OAuth Client ID.
2. Authorized redirect URIs: This will be a link back to the Keycloak endpoint URL in your Wallaroo instance in the format https://$PREFIX.keycloak.$SUFFIX/auth/realms/master/broker/google/endpoint.
  For example, if the Wallaroo prefix is silky-lions-3657 and the suffix is wallaroo.ai, then the Keycloak endpoint URL would be silky-lions-3657.keycloak.wallaroo.ai/auth/realms/master/broker/google/endpoint. For more information see the DNS Integration Guide.
When the Oauth client is created, the Client ID and the Client Secret will be displayed. Store these for the next steps.

How to Access the User Authentication Service

Most user administration features are performed by admins through the Platform Admin Dashboard.

Additional settings are available by directly access the Wallaroo Administrative Service known as keycloak. This requires the following:

A user credential with administrative access. If for some reason no user with administrative access is available, the default admin user and credentials are retrieved by a user with kubectl and administrative access to the cluster with the following.
- Retrieve Keycloak Admin Username
```
kubectl -n wallaroo \
get secret keycloak-admin-secret \
-o go-template='{{.data.KEYCLOAK_ADMIN_USER | base64decode }}'
```
- Retrieve Keycloak Admin Password
```
kubectl -n wallaroo \
get secret keycloak-admin-secret \
-o go-template='{{.data.KEYCLOAK_ADMIN_PASSWORD | base64decode }}'
```
Access the user administrative service through the url https://keycloak.$WALLAROO_SUFFIX. For example, if the $WALLAROO_SUFFIX is wallaroo.example.com, the administrative access controls are access through https://keycloak.wallaroo.example.com.

Add GCP Credentials to Wallaroo

With the Client ID and Client Secret from Google, we can now add this to the Wallaroo instance Keycloak service.

IMPORTANT NOTE

Leaving the Hosted Domain value unset will allow any valid Google user to access the system. Set the Hosted Domain to restrict access to the desired Google domain such as wallaroo.ai. This must be a domain that is managed by Google. For more information, see the Keycloak Social Identity Providers documentation.

Select Administration Console.
From the left navigation panel, select Identity Providers.
Select Add provider and select Google.
Enter the following:
1. Redirect URI: Verify this is the same endpoint defined in Create GCP Credentials.
2. Client ID: Use the Client id from Get GCP Credentials.
3. Client Secret: Use the Client secret from Get GCP Credentials.
4. Hosted Domain: The domain that the user’s will be logging in from. For example: wallaroo.ai.
5. Enabled: On
6. For the other settings, see the Keycloak Social Identity Providers documentation.

Once complete, log out of the Wallaroo instance and go back into the login screen. With the usual username and password screen should also be a google link at the bottom or whatever name was set for the identity provider.

Select it, then select which Google user account to use. As long the domain matches the one listed in Add Google Credentials to Keycloak, the login will succeed. The first time a user logs in through Google, Keycloak will create a new local user account based on the Google credentials.

Troubleshooting

I get the error “This app’s request is invalid”

Double check the Google credentials from Get GCP Credentials and verify that the Authorized redirect URIs matches the one in Keycloak. This can be verified from logging into Keycloak, selecting Identity Providers, selecting the Google identity provider and Redirect URI from the top line.