SSO - Google

Objective

This document provides instructions on how to configure Google SSO integration to F5® Distributed Cloud Services for your enterprise account. For an overview of F5® Distributed Cloud Console, see About.

Note: SSO setup requires you to be of the tenant owner type user. Navigate to General > IAM > Users. Select on the Show/hide column, select the Type field, and select Apply to display the Type column. For the tenant owner, the Type column displays Tenant Owner and others, it displays User.

Prerequisites

The following prerequisites apply:

  • Google Cloud Account with Admin Access
  • Note: This can be an existing G-Suite account.

Configuration Steps

Step 1: Create project in Google Developer Console.
Figure: GCP IAM and Admin View

Figure: GCP IAM and Admin View

  • Enter a project name.

  • Set a project ID using the EDIT button as per your preference.

  • Select Create.

Figure: Create a new project

Figure: Create a new project

Step 2: Start OAuth consent settings.

  • Select - menu icon to right of Google Cloud Platform in upper-left corner.

  • Select APIs & Services in pop-out menu.

  • Select OAuth consent screen.

  • Select Internal.

  • Select Create button.

Figure: API Credentials

Figure: API Credentials

Step 3: Fill in OAuth consent screen details.
Step 4: Create OAuth credentials.

  • Open Credentials tab.

  • Select OAuth client ID under Create credentials button.

  • Create OAuth client ID and client secret.

Figure: Credentials Tab

Figure: Credentials Tab

Note: Leave Authorized redirect URIs field as blank, this can be provided once the URI is obtained from F5 Distributed Cloud Console SSO Portal.

Step 5: Copy the generated credentials.

Once credentials are created a Client ID and Client Secret are generated which are required to set SSO. Copy the same to be provided in F5® Distributed Cloud Console.

Step 6: Start SSO setup in the F5 Distributed Cloud Console.

Features can be viewed, and managed in multiple services.

This example shows SSO setup in Administration.

  • Open F5 Distributed Cloud Console homepage, select Administration box.

Note: Homepage is role based, and your homepage may look different due to your role customization. Select All Services drop-down menu to discover all options. Customize Settings: Administration > Personal Management > My Account > Edit work domain & skills button > Advanced box > check Work Domain boxes > Save changes button.

Figure: Homepage

Figure: Homepage

Note: Confirm Namespace feature is in correct namespace, drop-down selector located in upper-left corner. Not available in all services.

  • Select Tenant Settings in left column menu > select Tenant Options.

Note: If options are not showing available select Advanced nav options visible Show link in bottom left corner. Select Hide to minimize options from Advanced nav options mode if needed.

  • Select Set up SSO button.
Figure: SSO

Figure: SSO

  • Select Google in Please choose a service Provider in pop-up window.

  • Select Continue button.

Step 7: Set OAuth Credentials and Hosted Domain.

Default Scopes: OpenID Connect (OIDC) introduces the concept of "scopes" from OAuth 2.0. A scope is a way to limit the amount of information and access given to an application. When a client application wants to access resources on behalf of a user, it requests specific scopes. These scopes inform the user of the type of access the application is requesting during the authorization process.

F5 Distributed Cloud recommends default scopes of openid profile email NOT openidprofileemail.

Note: Multiple scope values are used by creating a space delimited, because it is the OIDC standard specification by IETF although we do handle automatic validation/modification.

  • Provide Client ID and Client Secret obtained from previous steps.

Note: Recommended default scopes: openid profile email. Multiple scope values are used by creating a Space Delimited during SSO setup in F5 console.

  • Enter Default Scopes.

Note: Any entered value will be combined with preset value: openid profile email NOT openidprofileemail. Input spaces between words to include multiple scope values. To avoid additional steps with form Update Account Information, confirm Client ID contains First Name (family_name), Last Name (given_name), Email. OIDC standard specification by IETF - automatic validation/modification is supported on console, but not suggested in this form.

Figure: Default Scopes

Figure: Default Scopes

  • Enter domain in Hosted Domain box.

  • Select Continue.

Note: This example uses ves.io as the domain.

Figure: Client ID and Client Secret

Figure: Client ID and Client Secret

Note: The Hosted Domain is the domain where your accounts are hosted and only accounts of that domain are listed. You can also enter * for this field to use any hosted account.

Step 8: Copy Redirect URL.
  • Copy the displayed Redirect URL.

Note: This is used in OAuth client configuration in later steps.

  • Select Done.
Figure: Well Known URL

Figure: Well Known URL

Step 9: Add authorized domain in Google Developer Console for your OAuth settings.

  • Log back into the Google Developer Console.

  • Select API & Services section.

  • select on OAuth consent screen.

  • Select EDIT APP.

  • Under Authorized domains > add f5.com as the domain.

Figure: Add Authorized Domain

Figure: Add Authorized Domain

Step 10: Add Redirect URL in credentials page.

  • Select Credentials.

  • Edit the OAuth 2.0 Client ID to add authorized redirect URI (obtained in Step 8).

  • Select Save button.

Figure: Configure Redirect URI

Figure: Configure Redirect URI

Step 11: Log out of F5 Distributed Cloud Console. Subsequent logins get serviced through Google.

Log out of the F5 Distributed Cloud Console.

Note: The subsequent logins get serviced through Google.

Concepts

API References

On this page: