Integrations
Integrations
Breadcrumbs

SSO GCP

Integration model

Authentication (Oauth2)

Anjana Data integrates using the standard Oauth2 circuit for “Web apps” which is described by the manufacturer in the following documentation:

https://developers.google.com/identity/protocols/oauth2/web-server


The functionality is directly embedded in the Zeus authentication management microservice; it is enabled and configured through the configuration file of that microservice.


Authentication configuration

In the security.authentication property, the various authentication providers to be used are configured.

For GCP it is necessary to configure the following properties:

YAML
security:
  authentication:
    oidc:
      google:
        # Nombre del proveedor tal y como aparecerá en la página de inicio de sesión
        name: Anjana google
        # URL del proveedor para autorizar a los usuarios del Portal Anjana (usar variables en la URL)
        authorize-url: https://accounts.google.com/o/oauth2/v2/auth?client_id=${security.authentication.oidc.providers.google.client-id}&response_type=code&scope=${security.authentication.oidc.providers.google.scopes}&redirect_uri=${security.authentication.oidc.providers.google.redirect-uri}
        # URL del proveedor para autorizar a los usuarios de Portuno (usar variables en la URL)
        authorize-url-portuno: https://accounts.google.com/o/oauth2/v2/auth?client_id=${security.authentication.oidc.providers.google.client-id}&response_type=code&scope=${security.authentication.oidc.providers.google.scopes}&redirect_uri=${security.authentication.oidc.providers.google.redirect-uri-portuno}
        # URL del proveedor para gestionar la creación del token
        token-url: https://oauth2.googleapis.com/token
        # Alcance de la autenticación del proveedor
        scopes: openid email
        # Identificador del cliente de autenticación en el proveedor
        client-id: <clientId>
        # Secreto del cliente de autenticación en el proveedor
        client-secret: <clientSecret>
        # Método de autenticación del proveedor
        client-authentication-method: BASIC
        # URI a la que el navegador debe redirigir tras un inicio de sesión exitoso con el proveedor en el Portal Anjana
        redirect-uri: https://<host>/authorized
        # URI a la que el navegador debe redirigir tras un inicio de sesión exitoso con el proveedor en el portal administrativo (Portuno)
        redirect-uri-portuno: https://<host>/configpanel/authorized
        # Campo donde se encuentra el nombre de usuario en el proveedor
        username-claim: email
        # Tipo de proveedor
        type: GOOGLE
        # JSON con el contenido de autentificacion requerido, se puede obtener directamente de GCP
        json-content: '
            {
            "type": "service_account",
            "project_id": "AAAAAAAAAA",
            "private_key_id": "******************",
            "private_key": "-----BEGIN PRIVATE KEY----------END PRIVATE KEY-----",
            "client_email": "**************.com",
            "client_id": "*************",
            "auth_uri": "https://accounts.google.com/o/oauth2/auth",
            "token_uri": "https://oauth2.googleapis.com/token",
            "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
            "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/*****.com"
            } '
        # Ruta donde se encuentra el JSON con el contenido de autentificacion, se puede usar en vez de json-content
        json-path: /opt/AAAAA-aaabbbccc.json # absolute path --> /xxxxxx.json
        # Nombre del usuario delegado usado en la autentificación
        delegated: persona@dominio.com
        customer: CCC00


Active governance

In general, Anjana Data DSAs will be represented as custom roles, and the signatories of those DSAs are associated with those roles through policies in each of the technologies, in which conditions will additionally be applied to enable access to specific resources.

Required credentials

The credential can be a single one aggregating the permissions required by all plugins to be deployed, but it is recommended to keep it separate to facilitate monitoring and auditing of the activity performed by each one.


Authentication (Oauth2)

Currently it is necessary to enable access in both GCP and Gsuite in order to retrieve user information and the custom groups or roles they belong to. To do this, it is necessary to enable specific APIs in both and configure the domain delegation of the service account to be used so it can access the required Gsuite scopes.


Required APIs

  1. Admin SDK API

  2. Identity and Access Management (IAM) API

  3. Cloud Resource Manager API


Credential provisioning

OAuth 2.0 Client ID type web application with authorized url pointed to POC installation point (https://<hostname>:<port>/anjana/login and https://<hostname>:<port>/anjana/authorized),default package has configured apache self signed certificate listening con 8443 port. Documentation at https://developers.google.com/identity/protocols/oauth2/web-server


  • OAuth 2.0 Client type service account with domain delegation and following permissions (DOC https://developers.google.com/admin-sdk/directory/v1/guides/delegation ):

    • GCP roles (on the service account to be used in Zeus)

      • Role Viewer

      • Identity Platform Viewer

      • Identity Toolkit Viewer

      • Google Cloud Managed Identities Viewer

      • Functions Viewer

    • APP-level permissions (affects when registering the new web application)

      • Admin SDK API

        • .../auth/admin.directory.user.readonly

        • .../auth/admin.directory.user.alias.readonly

        • ../auth/admin.directory.customer.readonly

        • .../auth/admin.directory.domain.readonly

        • .../auth/admin.directory.group.readonly

        • .../auth/admin.directory.group.member.readonly

        • .../auth/admin.directory.orgunit.readonly

        • .../auth/iam

    • Gsuite scopes (affects Gsuite when registering the web application in API controls)

      • Openid

        • https://www.googleapis.com/auth/admin.directory.user.readonly

        • https://www.googleapis.com/auth/admin.directory.group.readonly

        • https://www.googleapis.com/auth/admin.directory.group.member.readonly

        • https://www.googleapis.com/auth/admin.directory.domain.readonly

        • https://www.googleapis.com/auth/admin.directory.orgunit.readonly

        • https://www.googleapis.com/auth/cloud-platform

        • https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly


Register a web application

att_17_for_171868215.png
att_8_for_171868215.png


att_9_for_171868215.png


Several APIs are disabled by default and need to be enabled at the following API library link.


att_18_for_171868215.png


The following APIs are enabled:


att_1_for_171868215.png



att_2_for_171868215.png


att_3_for_171868215.png


Once enabled, on the permissions screen, the following are added.

att_19_for_171868215.png


Create OAuth Client ID

att_20_for_171868215.png


att_10_for_171868215.png


Copy, paste, and save the credentials JSON.


att_4_for_171868215.png


att_11_for_171868215.png


Create the service account


att_12_for_171868215.png


att_21_for_171868215.png


att_22_for_171868215.png


att_23_for_171868215.png


A service account key must be created


att_13_for_171868215.png
att_14_for_171868215.png


A JSON file will be downloaded


Register the service account

In Gsuite → Security → Access controls → API controls, register the service account and grant permissions on the required scopes:


att_24_for_171868215.png


Once inside, a new API client must be added


att_5_for_171868215.png


Once in the menu, add the client ID of the service account created earlier, and add the following scopes:

att_25_for_171868215.png


att_6_for_171868215.png




Role assignment in GCP and Gsuite

In the Google cloud, we can grant role memberships in two different ways:

  • GCP functions

  • Group in Gsuite


Functions in GCP

Unlike Gsuite groups, this does not generate any new email account and is managed through GCP.

The procedure is as follows:

A custom function is created with the “General Availability” stage; remember that the value that will be taken as reference is the ID and not the name.


att_15_for_171868215.png
att_16_for_171868215.png


The new custom function is assigned to a user in IAM

att_26_for_171868215.png


Groups in Gsuite

When creating a new group in Gsuite, a new email account is generated.

The procedure for Gsuite groups is as simple as creating a group and adding the users you want to obtain that membership.


att_7_for_171868215.png


Active governance

The plugin to be deployed which will perform the active governance tasks that need to provision custom roles on GCP is “Tot plugin GCP IAM”; the required credential is described in its associated documentation. The rest of the available plugins for technologies integrated with GCP IAM will apply access policies in their respective technologies so that said role has access to the resources covered by the contract.


The active governance plugin for this platform works exclusively by creating and assigning roles, as they have sufficient functionality and simplify administration by not generating groups in Gsuite.

SSO emulation via Oauth2

The Oauth2 protocol observes transparent authentication when possible; for this, it is only necessary to redirect the user to https://<host>/provider=<provider identifier in zeus>; if the user is already logged in to that provider and the policies configured in that provider mean that re-validating the credential is not required, the user will be authenticated in Anjana Data in a completely transparent manner.