Improve this page on GitHub

Google (OIDC)

Setting Up Google Single Sign-On (SSO)

In this page we will see the process of setting up Google IDP with Codefresh. For the general instructions of SSO setup see the overview page.

Create Client Secret

Log in https://console.developers.google.com/ and select Credentials on the left sidebar. Click the Create Credentials button and choose OAuth client ID from the drop down menu.

In the next screen select Web application as the Application type. Enter a name for your integration (user-defined). Add as URI https://g.codefresh.io in the Authorized JavaScript origins section.

Click the Create button. You will see a dialog with the client Id and secret values. Note down both of these values.

You will need the Client ID and secret in the Codefresh configuration screen.

Enter details on the Codefresh side

Go back into Codefresh and choose Google at the SSO Settings

In the configuration screen fill in the following:

DISPLAY NAME - Friendly SSO name (arbitrary)
CLIENT ID - Use the value you got from the previous section
CLIENT SECRET - Use the value you got from the previous section

After clicking SAVE you’ll see the generated Client Name:

Note this down as you will use it in the Google Console.

Setup Redirect URI

Go back to the Google Console Developer dashboard and click the edit button on the OAuth 2.0 Client IDs that you created before.

Use the Client Name from the previous section to generate the Authorized Redirect URIs

Example Client Name: t0nlUJoqQlDv
Example Redirect URI: https://g.codefresh.io/api/auth/t0nlUJoqQlDv/callback

This concludes the basic SSO setup for Google. For team/group synchronization you also need a service account.

Synchronize teams with the Codefresh CLI

In the Codefresh configuration screen there are some optional fields that you can fill, to configure team synchronization via the Codefresh CLI.

You can do one of the following:

Sync all users and groups, by creating a service account and delegating user and group permissions to it.
Sync only users who have been assigned the custom schema, by creating a custom schema for user accounts, and creating and assigning the user role.

Sync all users with service account from Google Console

Use this method to sync all users.

Delegate from the Google admin console the following permissions:

https://www.googleapis.com/auth/admin.directory.user.readonly
https://www.googleapis.com/auth/admin.directory.group.readonly

For that service account you should also create a private key in JSON format.

Save the file locally. Go back to the Codefresh settings and fill in the fields

JSON Keyfile - enter contents of the JSON file
Admin email - The user that has access to admin.google.com

Sync users by assigning custom schema to user accounts

Use this method to sync only those users who have been assigned the user role with the custom schema.

Navigate to the Google Directory API.

Add the following schema:

 {  
   "schemaName": "SSO",  
   "displayName": "SSO",  
   "fields": [  
     {  
       "fieldType": "STRING",  
       "fieldName": "UserRole",  
       "displayName": "UserRole",  
       "multiValued": true,  
       "readAccessType": "ADMINS_AND_SELF"  
     }  
  ]
 }

In the GSuite Admin panel, go to Apps > SAML.

Expand the Attribute Mapping settings, and add a Role attribute with the above schema for SSO and UserRole.

For every user to be synced, in the User Information screen, scroll to SSO > UserRole, and assign the user role.

Configure sync setting in Codefresh SAML

This is required only if you are syncing users via a custom schema.

In the Codefresh UI, open the SAML configuration screen.
In the Sync field, set the value to the custom schemaName.

SAML Sync Setting in Codefresh for Google GSuite

Now you can synchronize teams with the Codefresh CLI .

What to read next

See the overview page on how to test the integration, activate SSO for collaborators and create sync jobs.