SSO - Google
Objective
This document provides instructions on how to configure Google SSO integration to F5® Distributed Cloud Services for your enterprise account. For an overview of F5® Distributed Cloud Console, see About.
Note: SSO setup requires you to be of the
tenant owner
type user. Navigate toGeneral
>IAM
>Users
. Select on theShow/hide column
, select theType
field, and selectApply
to display theType
column. For the tenant owner, theType
column displaysTenant Owner
and others, it displaysUser
.
Prerequisites
The following prerequisites apply:
- A valid Enterprise account.
- Note: If you do not have an account, see Create an Account.
- Google Cloud Account with Admin Access
- Note: This can be an existing G-Suite account.
Configuration Steps
Step 1: Create project in Google Developer Console.
-
Log into Google Developer Console with your administrator access.
-
Select
Create Project
.
Figure: GCP IAM and Admin View
-
Enter a project
name
. -
Set a
project ID
using theEDIT
button as per your preference. -
Select
Create
.
Figure: Create a new project
Step 2: Start OAuth consent settings.
-
Select
-
menu icon to right ofGoogle Cloud Platform
in upper-left corner. -
Select
APIs & Services
in pop-out menu. -
Select
OAuth consent screen
. -
Select
Internal
. -
Select
Create
button.
Figure: API Credentials
Step 3: Fill in OAuth consent screen details.
Step 4: Create OAuth credentials.
-
Open
Credentials
tab. -
Select
OAuth client ID
underCreate credentials
button. -
Create
OAuth client ID
andclient secret
.
Figure: Credentials Tab
Note: Leave
Authorized redirect URIs
field as blank, this can be provided once the URI is obtained from F5 Distributed Cloud Console SSO Portal.
Step 5: Copy the generated credentials.
Once credentials are created a Client ID and Client Secret are generated which are required to set SSO. Copy the same to be provided in F5® Distributed Cloud Console.
Step 6: Start SSO setup in the F5 Distributed Cloud Console.
Features can be viewed, and managed in multiple services.
This example shows SSO
setup in Administration
.
- Open
F5 Distributed Cloud Console
homepage, selectAdministration
box.
Note: Homepage is role based, and your homepage may look different due to your role customization. Select
All Services
drop-down menu to discover all options. Customize Settings:Administration
>Personal Management
>My Account
>Edit work domain & skills
button >Advanced
box > checkWork Domain
boxes >Save changes
button.
Figure: Homepage
Note: Confirm
Namespace
feature is in correct namespace, drop-down selector located in upper-left corner. Not available in all services.
- Select
Tenant Settings
in left column menu > selectTenant Options
.
Note: If options are not showing available select
Advanced nav options visible
Show
link in bottom left corner. SelectHide
to minimize options from Advanced nav options mode if needed.
- Select
Set up SSO
button.
Figure: SSO
-
Select
Google
inPlease choose a service Provider
in pop-up window. -
Select
Continue
button.
Step 7: Set OAuth Credentials and Hosted Domain.
Default Scopes: OpenID Connect (OIDC) introduces the concept of "scopes" from OAuth 2.0. A scope is a way to limit the amount of information and access given to an application. When a client application wants to access resources on behalf of a user, it requests specific scopes. These scopes inform the user of the type of access the application is requesting during the authorization process.
F5 Distributed Cloud recommends default scopes of openid profile email
NOT openidprofileemail.
Note: Multiple scope values are used by creating a space delimited, because it is the OIDC standard specification by IETF although we do handle automatic validation/modification.
- Provide
Client ID
andClient Secret
obtained from previous steps.
Note: Recommended
default scopes: openid profile email
.Multiple scope
values are used by creating aSpace Delimited
during SSO setup in F5 console.
- Enter
Default Scopes
.
Note: Any entered value will be combined with preset value: openid profile email NOT openidprofileemail. Input spaces between words to include multiple scope values. To avoid additional steps with form
Update Account Information
, confirmClient ID
containsFirst Name
(family_name),Last Name
(given_name),
Figure: Default Scopes
-
Enter
domain
inHosted Domain
box. -
Select
Continue
.
Note: This example uses
ves.io
as the domain.
Figure: Client ID and Client Secret
Note: The
Hosted Domain
is the domain where your accounts are hosted and only accounts of that domain are listed. You can also enter*
for this field to use any hosted account.
Step 8: Copy Redirect URL.
- Copy the displayed
Redirect URL
.
Note: This is used in OAuth client configuration in later steps.
- Select
Done
.
Figure: Well Known URL
Step 9: Add authorized domain in Google Developer Console for your OAuth settings.
-
Log back into the Google Developer Console.
-
Select
API & Services
section. -
select on
OAuth consent
screen. -
Select
EDIT APP
. -
Under
Authorized domains
> addf5.com
as the domain.
Figure: Add Authorized Domain
Step 10: Add Redirect URL in credentials page.
-
Select
Credentials
. -
Edit the OAuth 2.0 Client ID to add authorized redirect URI (obtained in Step 8).
-
Select
Save
button.
Figure: Configure Redirect URI
Step 11: Log out of F5 Distributed Cloud Console. Subsequent logins get serviced through Google.
Log out of the F5 Distributed Cloud Console.
Note: The subsequent logins get serviced through Google.