This post is only written for Google and Azure, although for our managed service customers we can add any identity provider (IDP) that is supported by OIDC.
In order to connect your Google or Azure IDP you need to create and provide some credentials. This post will show you what information you need to send to us and where to find it.
- Go to https://portal.azure.com/#view/Microsoft_AAD_RegisteredApps/ApplicationsListBlade and click Add an app in the Azure portal.
- Click New registration.
- Under Supported account types pick Accounts in any organizational directory (Any Azure AD directory – Multitenant).
- Under Redirect URI select web and insert the dex URL that we provide, if unsure ask your contact person at Elastisys.
- In Overview you have the application ID.
- To create the secret go to Certificates & secrets.
- Select the tab Client secret and press New client secret.
- Set expiry date to 24 months.
- Send the application ID and secret to us via e.g. https://yopass.elastisys.com.
- To make it more secure, navigate to Properties in Azure AD and send us the tenant ID. This limits who can authenticate towards the cluster.
- Provide the name of the Azure AD group that should have admin privileges in the cluster.
- To create the credentials go to https://console.cloud.google.com/apis/credentials.
- Create a new project through the top menu.
- In the new project, go to OAuth consent screen on the left side menu and create an internal consent screen.
- Go to Enabled APIs & services on the left side menu and then click + ENABLE APIS AND SERVICES.
- Search for Admin SDK API and enable the API.
- Go back to Credentials on the left side menu.
- Click + CREATE CREDENTIALS of type OAuth client ID.
- Select Web Application for Application type, give it a suitable name and set the Authorized redirect URIs to the dex URL that we provide, if unsure ask your contact person at Elastisys.
- Send the client ID and client secret to us e.g. via https://yopass.elastisys.com.
To set up groups follow these steps, note that steps 7-9 below can only be done by an administrator.
- Go to https://console.cloud.google.com/iam-admin/serviceaccounts?orgonly=true.
- Make sure that you are in the same project that you created previously (see top menu).
- Click on + CREATE SERVICE ACCOUNT and give it a suitable name.
- Note down the Unique ID of the service account as you will need it soon.
- Go to the newly created service account and then under the KEYS tab click ADD KEY and create a new key of type JSON.
- Send the content of the JSON file to us via e.g. https://yopass.elastisys.com.
- You need to give the service account read access to groups, go to the admin console https://admin.google.com.
- Navigate through the menu to Security > Access and data control > API Controls and click Manage Domain Wide Delegation and then Add New.
- In the Client ID field put the Unique ID of the service account from step 4 and in the Oauth Scopes field enter this scope: https://www.googleapis.com/auth/admin.directory.group.readonly
- Finally provide the name of the Google group that should have admin privileges in the cluster.