Google (OIDC)
Setting Up Google Single Sign-On (SSO)
In this page we will see the process of setting up Google IDP with Codefresh. For the general instructions of SSO setup see the overview page.
Create Client Secret
Log in https://console.developers.google.com/ and select Credentials on the left sidebar. Click the Create Credentials button and choose OAuth client ID from the drop down menu.
In the next screen select Web application as the Application type. Enter a name for your integration (user-defined). Add as URI https://g.codefresh.io
in the Authorized JavaScript origins section.
Click the Create button. You will see a dialog with the client Id and secret values. Note down both of these values.
You will need the Client ID and secret in the Codefresh configuration screen.
Enter details on the Codefresh side
Go back into Codefresh and choose Google at the SSO Settings
In the configuration screen fill in the following:
DISPLAY NAME
- Friendly SSO name (arbitrary)CLIENT ID
- Use the value you got from the previous sectionCLIENT SECRET
- Use the value you got from the previous section
After clicking SAVE you’ll see the generated Client Name:
Note this down as you will use it in the Google Console.
Setup Redirect URI
Go back to the Google Console Developer dashboard and click the edit button on the OAuth 2.0 Client IDs that you created before.
Use the Client Name from the previous section to generate the Authorized Redirect URIs
- Example Client Name:
t0nlUJoqQlDv
- Example Redirect URI:
https://g.codefresh.io/api/auth/t0nlUJoqQlDv/callback
This concludes the basic SSO setup for Google. For team/group synchronization you also need a service account.
Synchronize teams with the Codefresh CLI
In the Codefresh configuration screen there are some optional fields that you can fill, to configure team synchronization via the Codefresh CLI.
You can do one of the following:
- Sync all users and groups, by creating a service account and delegating user and group permissions to it.
- Sync only users who have been assigned the custom schema, by creating a custom schema for user accounts, and creating and assigning the user role.
Sync all users with service account from Google Console
Use this method to sync all users.
Delegate from the Google admin console the following permissions:
https://www.googleapis.com/auth/admin.directory.user.readonly
https://www.googleapis.com/auth/admin.directory.group.readonly
For that service account you should also create a private key in JSON format.
Save the file locally. Go back to the Codefresh settings and fill in the fields
JSON Keyfile
- enter contents of the JSON fileAdmin email
- The user that has access toadmin.google.com
Sync users by assigning custom schema to user accounts
Use this method to sync only those users who have been assigned the user role with the custom schema.
- Navigate to the Google Directory API.
-
Add the following schema:
{ "schemaName": "SSO", "displayName": "SSO", "fields": [ { "fieldType": "STRING", "fieldName": "UserRole", "displayName": "UserRole", "multiValued": true, "readAccessType": "ADMINS_AND_SELF" } ] }
- In the GSuite Admin panel, go to
Apps > SAML
.
- Expand the Attribute Mapping settings, and add a Role attribute with the above schema for
SSO
andUserRole
.
- For every user to be synced, in the User Information screen, scroll to
SSO > UserRole
, and assign the user role.
Configure sync setting in Codefresh SAML
This is required only if you are syncing users via a custom schema.
- In the Codefresh UI, open the SAML configuration screen.
- In the
Sync
field, set the value to the custom schemaName.
Now you can synchronize teams with the Codefresh CLI .
What to read next
See the overview page on how to test the integration, activate SSO for collaborators and create sync jobs.