SSO - Google

• Log into Google Developer Console with your administrator access.

• Select Create Project.

• Enter a project name.

• Set a project ID using the EDIT button as per your preference.

• Select Create.

• Select - menu icon to right of Google Cloud Platform in upper-left corner.

• Select APIs & Services in pop-out menu.

• Select OAuth consent screen.

• Select Internal.

• Select Create button.

• Open Credentials tab.

• Select OAuth client ID under Create credentials button.

• Create OAuth client ID and client secret.

Note: Leave Authorized redirect URIs field as blank, this can be provided once the URI is obtained from F5 Distributed Cloud Console SSO Portal.

Once credentials are created a Client ID and Client Secret are generated which are required to set SSO. Copy the same to be provided in F5® Distributed Cloud Console.

Features can be viewed, and managed in multiple services.

This example shows SSO setup in Administration.

• Open F5 Distributed Cloud Console homepage, select Administration box.

Note: Homepage is role based, and your homepage may look different due to your role customization. Select All Services drop-down menu to discover all options. Customize Settings: Administration > Personal Management > My Account > Edit work domain & skills button > Advanced box > check Work Domain boxes > Save changes button.

Note: Confirm Namespace feature is in correct namespace, drop-down selector located in upper-left corner. Not available in all services.

• Select Tenant Settings in left column menu > select Tenant Options.

Note: If options are not showing available select Advanced nav options visible Show link in bottom left corner. Select Hide to minimize options from Advanced nav options mode if needed.

• Select Set up SSO button.

• Select Google in Please choose a service Provider in pop-up window.

• Select Continue button.

Default Scopes: OpenID Connect (OIDC) introduces the concept of "scopes" from OAuth 2.0. A scope is a way to limit the amount of information and access given to an application. When a client application wants to access resources on behalf of a user, it requests specific scopes. These scopes inform the user of the type of access the application is requesting during the authorization process.

F5 Distributed Cloud recommends default scopes of openid profile email NOT openidprofileemail.

Note: Multiple scope values are used by creating a space delimited, because it is the OIDC standard specification by IETF although we do handle automatic validation/modification.

• Provide Client ID and Client Secret obtained from previous steps.

Note: Recommended default scopes: openid profile email. Multiple scope values are used by creating a Space Delimited during SSO setup in F5 console.

• Enter Default Scopes.

Note: Any entered value will be combined with preset value: openid profile email NOT openidprofileemail. Input spaces between words to include multiple scope values. To avoid additional steps with form Update Account Information, confirm Client ID contains First Name (family_name), Last Name (given_name), Email. OIDC standard specification by IETF - automatic validation/modification is supported on console, but not suggested in this form.

• Enter domain in Hosted Domain box.

• Select Continue.

Note: This example uses ves.io as the domain.

Note: The Hosted Domain is the domain where your accounts are hosted and only accounts of that domain are listed. You can also enter * for this field to use any hosted account.

• Copy the displayed Redirect URL.

Note: This is used in OAuth client configuration in later steps.

• Select Done.

• Log back into the Google Developer Console.

• Select API & Services section.

• select on OAuth consent screen.

• Select EDIT APP.

• Under Authorized domains > add f5.com as the domain.

• Select Credentials.

• Edit the OAuth 2.0 Client ID to add authorized redirect URI (obtained in Step 8).

• Select Save button.

Log out of the F5® Distributed Cloud Console.

Note: The subsequent logins get serviced through Google.