From 41de8f1191fd64b993f7bb86a8f3e4f144868edc Mon Sep 17 00:00:00 2001 From: Jens L Date: Thu, 25 May 2023 00:24:39 +0200 Subject: [PATCH] website/integrations: add google workspace integration (#5729) * website/integrations: add google workspace integration Signed-off-by: Jens Langhammer * Apply suggestions from code review Co-authored-by: Tana M Berry Signed-off-by: Jens L. * format Signed-off-by: Jens Langhammer --------- Signed-off-by: Jens Langhammer Signed-off-by: Jens L. Co-authored-by: Tana M Berry --- website/integrations/services/aws/index.md | 24 ++++---- website/integrations/services/google/index.md | 61 +++++++++++++++++++ website/sidebarsIntegrations.js | 1 + 3 files changed, 74 insertions(+), 12 deletions(-) create mode 100644 website/integrations/services/google/index.md diff --git a/website/integrations/services/aws/index.md b/website/integrations/services/aws/index.md index c4224df68..10a159827 100644 --- a/website/integrations/services/aws/index.md +++ b/website/integrations/services/aws/index.md @@ -26,9 +26,9 @@ The following placeholders will be used: Create an application in authentik and note the slug, as this will be used later. Create a SAML provider with the following parameters: - ACS URL: `https://signin.aws.amazon.com/saml` -- Audience: `urn:amazon:webservices` - Issuer: `authentik` - Binding: `Post` +- Audience: `urn:amazon:webservices` You can of course use a custom signing certificate, and adjust durations. @@ -100,10 +100,10 @@ Additional Preparation: In AWS: -- In AWS navigate to: `IAM Identity Center -> Settings -> Identity Source (tab)` -- On the right side click `Actions -> Change identity source` -- Select `External Identity Provider` -- Under `Service Provider metadata` download the metadata file. +- In AWS navigate to: _IAM Identity Center_ -> _Settings_ -> _Identity Source (tab)_ +- On the right side click _Actions_ -> _Change identity source_ +- Select _External Identity Provider_ +- Under _Service Provider metadata_ download the metadata file. Now go to your authentik instance, and perform the following steps. @@ -118,10 +118,10 @@ Now go to your authentik instance, and perform the following steps. Now go back to your AWS instance -- Under `Identity provider metadata` upload both the the `Metadata` file and `Signing Certificate` that authentik gave you. -- Click `Next`. -- In your settings pane, under the tab `Identity Source`, click `Actions -> Manage Authentication`. -- Take note of the `AWS access portal sign-in URL` (this is especially important if you changed it from the default). +- Under _Identity provider metadata_ upload both the the _Metadata_ file and _Signing Certificate_ that authentik gave you. +- Click _Next_. +- In your settings pane, under the tab _Identity Source_, click _Actions_ -> _Manage Authentication_. +- Take note of the _AWS access portal sign-in URL_ (this is especially important if you changed it from the default). Now go back to your authentik instance. @@ -141,8 +141,8 @@ Some people may opt TO USE the automatic provisioning feature called SCIM (Syste SCIM allows you to synchronize (part of) your directory to AWS's IAM, saving you the hassle of having to create users by hand. In order to do so, take the following steps in your AWS Identity Center: -- In your `Settings` pane, locate the `Automatic Provisioning` Info box. Click `Enable`. -- AWS will give you an `SCIM Endpoint` and a `Access Token`. Take note of these values. +- In your _Settings_ pane, locate the _Automatic Provisioning_ information box. Click _Enable_. +- AWS will give you an _SCIM Endpoint_ and a _Access Token_. Take note of these values. Go back to your authentik instance @@ -172,4 +172,4 @@ return { - Under _Backchannel providers_ add the SCIM provider that you created. - Click _Update_ -The SCIM provider should sync automatically whenever you create/alter/remove anything. You can manually sync by going to your SCIM provider and click the _Run sync again_ button. Once the SCIM provider has synced, you should see the users and groups in your AWS IAM center. +The SCIM provider syncs automatically whenever you create/update/remove users, groups, or group membership. You can manually sync by going to your SCIM provider and clicking _Run sync again_. After the SCIM provider has synced, you should see the users and groups in your AWS IAM center. diff --git a/website/integrations/services/google/index.md b/website/integrations/services/google/index.md new file mode 100644 index 000000000..8f8e8b159 --- /dev/null +++ b/website/integrations/services/google/index.md @@ -0,0 +1,61 @@ +--- +title: Google Workspace +--- + +Support level: authentik + +## What is Google Workspace + +From https://en.wikipedia.org/wiki/Google_Workspace + +:::note +Google Workspace is a collection of cloud computing, productivity and collaboration tools, software and products developed and marketed by Google. +::: + +## Preparation + +The following placeholders will be used: + +- `authentik.company` is the FQDN of the authentik install. +- `example.com` is the default E-mail address configured in Google workspace. + +## authentik Configuration + +Create an application in authentik and note the slug, as this will be used later. Set the _Launch URL_ to `https://mail.google.com/a/example.com`. + +Create a SAML provider with the following parameters: + +- ACS URL: `https://www.google.com/a/example.com/acs` +- Issuer: `google.com/a/example.com` +- Binding: `Post` +- Audience: `google.com/a/example.com` + +Under _Advanced protocol settings_, set the option _NameID Property Mapping_ to the default E-mail property mapping called _authentik default SAML Mapping: Email_. Also make sure a _Signing Certificate_ is selected in the same section. + +Copy the values of _SSO URL (Redirect)_ and _SLO URL (Redirect)_ fields from the provider page. + +Click the _Download_ button next to the _Download signing certificate_ label. + +## Google Workspace Configuration + +Log in to the Google Workspace Admin portal by navigating to https://admin.google.com/, and authenticating with a super-admin account. + +Navigate to _Security_ -> _Authentication_ -> _SSO with third-party IdP_. + +Open the _Third-party SSO profile for your organization_ section. + +Check the checkbox _Set up SSO with third-party identity provider_. + +Set the value of _Sign-in page URL_ to the copied _SSO URL (Redirect)_ from above. + +Set the value of _Sign-out page URL_ to the copied _SLO URL (Redirect)_ from above. + +For _Verification certificate_, upload the certificate that you downloaded previously. + +Ensure the option _Use a domain specific issuer_ is enabled. + +## Notes + +Google will not use these SSO settings with super-admins, although they will apply for any other user account. User accounts must already exist in Google workspace when attempting to login with authentik; Google will not create them automatically. + +To verify that the configuration is correct for a super-admin account, navigate to `https://mail.google.com/a/example.com`, which redirects to the configured authentik instance. diff --git a/website/sidebarsIntegrations.js b/website/sidebarsIntegrations.js index 4d3a9ad9b..9361e3b5c 100644 --- a/website/sidebarsIntegrations.js +++ b/website/sidebarsIntegrations.js @@ -36,6 +36,7 @@ module.exports = { label: "Cloud Providers", items: [ "services/aws/index", + "services/google/index", "services/hashicorp-cloud/index", "services/oracle-cloud/index", ],