Skip to main content

Google

Introduction​

Google Single Sign-On (SSO) allows users to access the platform using their Google credentials. This integration enhances security and simplifies user management by leveraging Google's authentication infrastructure.

Prerequisites​

Before setting up Google SSO, ensure you have:

  • A Google Account with admin privileges
  • Administrator access to the platform
  • Access to GPC console for creating OAuth2.0 credentials

Configuration steps​

  1. Create platform config for Google

    The platform can use Google's OpenID Connect provider as an authentication source.

    Obtaining Google OAuth2.0 credentials

    To get the required clientId and clientSecret, follow these steps:

    • Go to the GCP Console
    • Navigate to "APIs & Services" > "Credentials"
    • Click "Create Credentials" and select "OAuth client ID"
    • Follow the prompts to set up your OAuth consent screen and create your credentials

    To configure the platform to use Google for SSO, navigate to Admin > Config in the platform and adjust your config as shown below:

    Google SSO Configuration
    auth:
      # Tell vCluster Platform to use google authentication
      google:
        #
        #
        # REQUIRED CONFIGURATION
        #
        #
        # ClientID for the google authentication. Can be string literal or pulled from the environment.
        clientId: $CLIENTID
        # ClientSecret for the google authentication. Can be string literal or pulled from the environment.
        clientSecret: $CLIENTSECRET
        # Callback URL in the form of https://your-loft-domain/auth/google/callback
        redirectURI: https://vcluster-platform.my.domain/auth/google/callback
        #
        #
        # OPTIONAL CONFIGURATION
        #
        #
        # (Optional) defaults to "profile" and "email"
        scopes: ["profile", "email"]
        # (Optional) list of whitelisted domains. If this field is nonempty,
        # only users from a listed domain will be allowed to log in
        hostedDomains: []
        # (Optional) list of whitelisted groups. If this field is nonempty,
        # only users from a listed group will be allowed to log in
        groups: []
        # (Optional) path to service account json. If nonempty,
        # and groups claim is made, will use authentication from file to
        # check groups with the admin directory api
        serviceAccountFilePath: /path/to/service/account.json
        # (Optional) Required if serviceAccountFilePath is set. The email of
        # a GSuite super user which the service account will impersonate
        # when listing groups
        adminEmail: myuser@mydomain.com
    Security best practice

    Always store sensitive information like clientSecret securely. Consider using environment variables or secure secret management solutions.

    note

    Replace the redirectURI with your actual domain where the platform is hosted.

  2. Authenticate via Google

    After saving the new configuration, the platform should restart itself. To authenticate:

    • Navigate to the platform login page
    • Click on the "Login with Google" button
    • You should be redirected to Google's login page
    • Enter your Google credentials
    • Grant the necessary permissions when prompted
    • You should be redirected back to the platform, now authenticated

  3. Disable Username + Password Authentication (optional)

    To turn off password-based authentication, navigate to Admin > Config add these two lines to your config:

    Disable password-based authentication
    auth:
      oidc: ...             # This is your SSO configuration (make sure this is working!)
      password:
        disabled: true      # Disable password-based authentication