Google (OIDC)

Setting Up Google Single Sign-On (SSO)

In this page we will see the process of setting up Google IDP with Codefresh. For the general instructions of SSO setup see the overview page.

Create Client Secret

Log in https://console.developers.google.com/ and select Credentials on the left sidebar. Click the Create Credentials button and choose OAuth client ID from the drop down menu.

In the next screen select Web application as the Application type. Enter a name for your integration (user-defined). Add as URI https://g.codefresh.io in the Authorized JavaScript origins section.

Creating an OAuth client

Creating an OAuth client

Click the Create button. You will see a dialog with the client Id and secret values. Note down both of these values.

Getting the Client ID and secret

Getting the Client ID and secret

You will need the Client ID and secret in the Codefresh configuration screen.

Enter details on the Codefresh side

Go back into Codefresh and choose Google at the SSO Settings

Choosing Google for Auth

Choosing Google for Auth

In the configuration screen fill in the following:

  • DISPLAY NAME - Friendly SSO name (arbitrary)
  • CLIENT ID - Use the value you got from the previous section
  • CLIENT SECRET - Use the value you got from the previous section

Entering Codefresh Settings

Entering Codefresh Settings

After clicking SAVE you’ll see the generated Client Name:

Getting the auto-generated Client Name

Getting the auto-generated Client Name

Note this down as you will use it in the Google Console.

Setup Redirect URI

Go back to the Google Console Developer dashboard and click the edit button on the OAuth 2.0 Client IDs that you created before.

Use the Client Name from the previous section to generate the Authorized Redirect URIs

  • Example Client Name: t0nlUJoqQlDv
  • Example Redirect URI: https://g.codefresh.io/api/auth/t0nlUJoqQlDv/callback

Redirect URI

Redirect URI

This concludes the basic SSO setup for Google. For team/group synchronization you also need a service account.

Synchronize teams with the Codefresh CLI

In the Codefresh configuration screen there are some optional fields that you can fill, to configure team synchronization via the Codefresh CLI.

You can do one of the following:

  • Sync all users and groups, by creating a service account and delegating user and group permissions to it.
  • Sync only users who have been assigned the custom schema, by creating a custom schema for user accounts, and creating and assigning the user role.

Sync all users with service account from Google Console

Use this method to sync all users.

Creating a service account

Creating a service account

Delegate from the Google admin console the following permissions:

  • https://www.googleapis.com/auth/admin.directory.user.readonly
  • https://www.googleapis.com/auth/admin.directory.group.readonly

For that service account you should also create a private key in JSON format.

Creating a JSON key

Creating a JSON key

Save the file locally. Go back to the Codefresh settings and fill in the fields

  • JSON Keyfile - enter contents of the JSON file
  • Admin email - The user that has access to admin.google.com

Sync users by assigning custom schema to user accounts

Use this method to sync only those users who have been assigned the user role with the custom schema.

  1. Navigate to the Google Directory API.
  2. Add the following schema:

     {  
       "schemaName": "SSO",  
       "displayName": "SSO",  
       "fields": [  
         {  
           "fieldType": "STRING",  
           "fieldName": "UserRole",  
           "displayName": "UserRole",  
           "multiValued": true,  
           "readAccessType": "ADMINS_AND_SELF"  
         }  
      ]
     }
    
  3. In the GSuite Admin panel, go to Apps > SAML.

SAML apps in GSuite Admin panel

SAML apps in GSuite Admin panel
  1. Expand the Attribute Mapping settings, and add a Role attribute with the above schema for SSO and UserRole.
  2. For every user to be synced, in the User Information screen, scroll to SSO > UserRole, and assign the user role.

User Information screen in GSuite

User Information screen in GSuite

Configure sync setting in Codefresh SAML

This is required only if you are syncing users via a custom schema.

  1. In the Codefresh UI, open the SAML configuration screen.
  2. In the Sync field, set the value to the custom schemaName.

SAML Sync Setting in Codefresh for Google GSuite

SAML Sync Setting in Codefresh for Google GSuite

Now you can synchronize teams with the Codefresh CLI .

See the overview page on how to test the integration, activate SSO for collaborators and create sync jobs.