Wallaroo SSO for Google Cloud Platform

Enable SSO authentication to Wallaroo from Google Cloud Platform (GCP)

Table of Contents

Organizations can use Google Cloud Platform (GCP) as an identity provider for single sign-on (SSO) logins for users with Wallaroo Enterprise.

To enable Google Cloud Platform (GCP) as an authentication provider to a Wallaroo instance:

Create GCP Credentials

To create the GCP credentials a Wallaroo instance uses to authenticate users:

  1. Log into Google Cloud Platform (GCP) console.

  2. From the left side menu, select APIs and Services -> Credentials.

    GCP API and Services
  3. Select + CREATE CREDENTIALS->Oauth client ID.

    GCP Create credentials
  4. Set Application type to Web application.

  5. Set the following options:

    1. Name: The name for this OAuth Client ID.

    2. Authorized redirect URIs: This will be a link back to the Keycloak endpoint URL in your Wallaroo instance in the format https://$PREFIX.keycloak.$SUFFIX/auth/realms/master/broker/google/endpoint.

      For example, if the Wallaroo prefix is silky-lions-3657 and the suffix is wallaroo.ai, then the Keycloak endpoint URL would be silky-lions-3657.keycloak.wallaroo.ai/auth/realms/master/broker/google/endpoint. For more information see the DNS Integration Guide.

  6. When the Oauth client is created, the Client ID and the Client Secret will be displayed. Store these for the next steps.

    Client ID and Secret

How to Access the User Authentication Service

Most user administration features are performed by admins through the Platform Admin Dashboard.

Additional settings are available by directly access the Wallaroo Administrative Service known as keycloak. This requires the following:

  1. A user credential with administrative access. If for some reason no user with administrative access is available, the default admin user and credentials are retrieved by a user with kubectl and administrative access to the cluster with the following.

    • Retrieve Keycloak Admin Username

      kubectl -n wallaroo \
      get secret keycloak-admin-secret \
      -o go-template='{{.data.KEYCLOAK_ADMIN_USER | base64decode }}'
      
    • Retrieve Keycloak Admin Password

      kubectl -n wallaroo \
      get secret keycloak-admin-secret \
      -o go-template='{{.data.KEYCLOAK_ADMIN_PASSWORD | base64decode }}'
      
  2. Access the user administrative service through the url https://keycloak.$WALLAROO_SUFFIX. For example, if the $WALLAROO_SUFFIX is wallaroo.example.com, the administrative access controls are access through https://keycloak.wallaroo.example.com.

Add GCP Credentials to Wallaroo

With the Client ID and Client Secret from Google, we can now add this to the Wallaroo instance Keycloak service.

  1. Select Administration Console.

  2. From the left navigation panel, select Identity Providers.

  3. Select Add provider and select Google.

  4. Enter the following:

    Keycloak Google Settings
    1. Redirect URI: Verify this is the same endpoint defined in Create GCP Credentials.
    2. Client ID: Use the Client id from Get GCP Credentials.
    3. Client Secret: Use the Client secret from Get GCP Credentials.
    4. Hosted Domain: The domain that the user’s will be logging in from. For example: wallaroo.ai.
    5. Enabled: On
    6. For the other settings, see the Keycloak Social Identity Providers documentation.

Verify the Login

Once complete, log out of the Wallaroo instance and go back into the login screen. With the usual username and password screen should also be a google link at the bottom or whatever name was set for the identity provider.

Select Google to login

Select it, then select which Google user account to use. As long the domain matches the one listed in Add Google Credentials to Keycloak, the login will succeed. The first time a user logs in through Google, Keycloak will create a new local user account based on the Google credentials.

Troubleshooting

I get the error “This app’s request is invalid”

Double check the Google credentials from Get GCP Credentials and verify that the Authorized redirect URIs matches the one in Keycloak. This can be verified from logging into Keycloak, selecting Identity Providers, selecting the Google identity provider and Redirect URI from the top line.

Keycloak Google Settings