website/integrations: add google workspace integration (#5729)
* website/integrations: add google workspace integration Signed-off-by: Jens Langhammer <jens@goauthentik.io> * Apply suggestions from code review Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com> Signed-off-by: Jens L. <jens@beryju.org> * format Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io> Signed-off-by: Jens L. <jens@beryju.org> Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>
This commit is contained in:
parent
22ee587e9f
commit
41de8f1191
|
@ -26,9 +26,9 @@ The following placeholders will be used:
|
||||||
Create an application in authentik and note the slug, as this will be used later. Create a SAML provider with the following parameters:
|
Create an application in authentik and note the slug, as this will be used later. Create a SAML provider with the following parameters:
|
||||||
|
|
||||||
- ACS URL: `https://signin.aws.amazon.com/saml`
|
- ACS URL: `https://signin.aws.amazon.com/saml`
|
||||||
- Audience: `urn:amazon:webservices`
|
|
||||||
- Issuer: `authentik`
|
- Issuer: `authentik`
|
||||||
- Binding: `Post`
|
- Binding: `Post`
|
||||||
|
- Audience: `urn:amazon:webservices`
|
||||||
|
|
||||||
You can of course use a custom signing certificate, and adjust durations.
|
You can of course use a custom signing certificate, and adjust durations.
|
||||||
|
|
||||||
|
@ -100,10 +100,10 @@ Additional Preparation:
|
||||||
|
|
||||||
In AWS:
|
In AWS:
|
||||||
|
|
||||||
- In AWS navigate to: `IAM Identity Center -> Settings -> Identity Source (tab)`
|
- In AWS navigate to: _IAM Identity Center_ -> _Settings_ -> _Identity Source (tab)_
|
||||||
- On the right side click `Actions -> Change identity source`
|
- On the right side click _Actions_ -> _Change identity source_
|
||||||
- Select `External Identity Provider`
|
- Select _External Identity Provider_
|
||||||
- Under `Service Provider metadata` download the metadata file.
|
- Under _Service Provider metadata_ download the metadata file.
|
||||||
|
|
||||||
Now go to your authentik instance, and perform the following steps.
|
Now go to your authentik instance, and perform the following steps.
|
||||||
|
|
||||||
|
@ -118,10 +118,10 @@ Now go to your authentik instance, and perform the following steps.
|
||||||
|
|
||||||
Now go back to your AWS instance
|
Now go back to your AWS instance
|
||||||
|
|
||||||
- Under `Identity provider metadata` upload both the the `Metadata` file and `Signing Certificate` that authentik gave you.
|
- Under _Identity provider metadata_ upload both the the _Metadata_ file and _Signing Certificate_ that authentik gave you.
|
||||||
- Click `Next`.
|
- Click _Next_.
|
||||||
- In your settings pane, under the tab `Identity Source`, click `Actions -> Manage Authentication`.
|
- In your settings pane, under the tab _Identity Source_, click _Actions_ -> _Manage Authentication_.
|
||||||
- Take note of the `AWS access portal sign-in URL` (this is especially important if you changed it from the default).
|
- Take note of the _AWS access portal sign-in URL_ (this is especially important if you changed it from the default).
|
||||||
|
|
||||||
Now go back to your authentik instance.
|
Now go back to your authentik instance.
|
||||||
|
|
||||||
|
@ -141,8 +141,8 @@ Some people may opt TO USE the automatic provisioning feature called SCIM (Syste
|
||||||
SCIM allows you to synchronize (part of) your directory to AWS's IAM, saving you the hassle of having to create users by hand.
|
SCIM allows you to synchronize (part of) your directory to AWS's IAM, saving you the hassle of having to create users by hand.
|
||||||
In order to do so, take the following steps in your AWS Identity Center:
|
In order to do so, take the following steps in your AWS Identity Center:
|
||||||
|
|
||||||
- In your `Settings` pane, locate the `Automatic Provisioning` Info box. Click `Enable`.
|
- In your _Settings_ pane, locate the _Automatic Provisioning_ information box. Click _Enable_.
|
||||||
- AWS will give you an `SCIM Endpoint` and a `Access Token`. Take note of these values.
|
- AWS will give you an _SCIM Endpoint_ and a _Access Token_. Take note of these values.
|
||||||
|
|
||||||
Go back to your authentik instance
|
Go back to your authentik instance
|
||||||
|
|
||||||
|
@ -172,4 +172,4 @@ return {
|
||||||
- Under _Backchannel providers_ add the SCIM provider that you created.
|
- Under _Backchannel providers_ add the SCIM provider that you created.
|
||||||
- Click _Update_
|
- Click _Update_
|
||||||
|
|
||||||
The SCIM provider should sync automatically whenever you create/alter/remove anything. You can manually sync by going to your SCIM provider and click the _Run sync again_ button. Once the SCIM provider has synced, you should see the users and groups in your AWS IAM center.
|
The SCIM provider syncs automatically whenever you create/update/remove users, groups, or group membership. You can manually sync by going to your SCIM provider and clicking _Run sync again_. After the SCIM provider has synced, you should see the users and groups in your AWS IAM center.
|
||||||
|
|
61
website/integrations/services/google/index.md
Normal file
61
website/integrations/services/google/index.md
Normal file
|
@ -0,0 +1,61 @@
|
||||||
|
---
|
||||||
|
title: Google Workspace
|
||||||
|
---
|
||||||
|
|
||||||
|
<span class="badge badge--primary">Support level: authentik</span>
|
||||||
|
|
||||||
|
## What is Google Workspace
|
||||||
|
|
||||||
|
From https://en.wikipedia.org/wiki/Google_Workspace
|
||||||
|
|
||||||
|
:::note
|
||||||
|
Google Workspace is a collection of cloud computing, productivity and collaboration tools, software and products developed and marketed by Google.
|
||||||
|
:::
|
||||||
|
|
||||||
|
## Preparation
|
||||||
|
|
||||||
|
The following placeholders will be used:
|
||||||
|
|
||||||
|
- `authentik.company` is the FQDN of the authentik install.
|
||||||
|
- `example.com` is the default E-mail address configured in Google workspace.
|
||||||
|
|
||||||
|
## authentik Configuration
|
||||||
|
|
||||||
|
Create an application in authentik and note the slug, as this will be used later. Set the _Launch URL_ to `https://mail.google.com/a/example.com`.
|
||||||
|
|
||||||
|
Create a SAML provider with the following parameters:
|
||||||
|
|
||||||
|
- ACS URL: `https://www.google.com/a/example.com/acs`
|
||||||
|
- Issuer: `google.com/a/example.com`
|
||||||
|
- Binding: `Post`
|
||||||
|
- Audience: `google.com/a/example.com`
|
||||||
|
|
||||||
|
Under _Advanced protocol settings_, set the option _NameID Property Mapping_ to the default E-mail property mapping called _authentik default SAML Mapping: Email_. Also make sure a _Signing Certificate_ is selected in the same section.
|
||||||
|
|
||||||
|
Copy the values of _SSO URL (Redirect)_ and _SLO URL (Redirect)_ fields from the provider page.
|
||||||
|
|
||||||
|
Click the _Download_ button next to the _Download signing certificate_ label.
|
||||||
|
|
||||||
|
## Google Workspace Configuration
|
||||||
|
|
||||||
|
Log in to the Google Workspace Admin portal by navigating to https://admin.google.com/, and authenticating with a super-admin account.
|
||||||
|
|
||||||
|
Navigate to _Security_ -> _Authentication_ -> _SSO with third-party IdP_.
|
||||||
|
|
||||||
|
Open the _Third-party SSO profile for your organization_ section.
|
||||||
|
|
||||||
|
Check the checkbox _Set up SSO with third-party identity provider_.
|
||||||
|
|
||||||
|
Set the value of _Sign-in page URL_ to the copied _SSO URL (Redirect)_ from above.
|
||||||
|
|
||||||
|
Set the value of _Sign-out page URL_ to the copied _SLO URL (Redirect)_ from above.
|
||||||
|
|
||||||
|
For _Verification certificate_, upload the certificate that you downloaded previously.
|
||||||
|
|
||||||
|
Ensure the option _Use a domain specific issuer_ is enabled.
|
||||||
|
|
||||||
|
## Notes
|
||||||
|
|
||||||
|
Google will not use these SSO settings with super-admins, although they will apply for any other user account. User accounts must already exist in Google workspace when attempting to login with authentik; Google will not create them automatically.
|
||||||
|
|
||||||
|
To verify that the configuration is correct for a super-admin account, navigate to `https://mail.google.com/a/example.com`, which redirects to the configured authentik instance.
|
|
@ -36,6 +36,7 @@ module.exports = {
|
||||||
label: "Cloud Providers",
|
label: "Cloud Providers",
|
||||||
items: [
|
items: [
|
||||||
"services/aws/index",
|
"services/aws/index",
|
||||||
|
"services/google/index",
|
||||||
"services/hashicorp-cloud/index",
|
"services/hashicorp-cloud/index",
|
||||||
"services/oracle-cloud/index",
|
"services/oracle-cloud/index",
|
||||||
],
|
],
|
||||||
|
|
Reference in a new issue