Learn more about how to configure Google Workspace to be an SSO provider to issue SSH credentials to specific groups of users.
Covered in this video:
- Example Teleport with local login
- Configure Google Workspace
- Creating Service Account
- Manage API scope
- Create OIDC Connector in Teleport
- tctl create gworkspace.yaml
- Example login with Google button
Using Google Workspace SSO with Teleport
Ben: Hi, Ben with Teleport, and today I’ll be walking you through how you can use Google Workspaces to log into Teleport. Now, this is one of our more complicated SSO integrations due to a few things you need to set up with Google Workspaces. Misha recorded this with 4.1. Most of it is the same, but I’m just going to give you a refresh for Teleport 6. You need to be a G Suite super admin, so this is likely your — you might have to work closely with your IT department to get all of the positions and roles needed to make this work. You also need the ability to create a GCP project, also in a sort of super admin, have a verified Domain name, and you need to set up Groups. In my environment, I’ve always set up Teleport using Getting Started guide.
Example Teleport with local login
Ben: I log in here, teleport-admin. And Login. You can see that I have the Team. I have Users and Roles. Actually, before, you see that I didn’t have auth connectors yet. I’m going to need to configure this later. But let’s just sort of walk through the instructions to get us started.
Configure Google Workspace
Ben: So first thing to do is obtain the OAuth2 credentials. So we have this page here. We’re going to the Credentials page. And the first thing you’re going to do is make sure that you’re logged in to the right user. This is my personal account, so I’m going to log in under the practice account. And you see, I have a few credentials from older demos. So let’s go back. We want to make sure that we have an OAuth client ID. And it’s going to be a web application. Give it a name. And we also need to add in here the authorized redirect URL. So this is going to be — you have the instructions here. It’s going to be the cluster name plus cluster port, and then this is just list added. Okay, so now I have the client ID, which I’m going to just save it to the scratchpad here for use later. And we’ll just check the domain for verification. So in our case, we don’t have any domain verified so need to set this up. So it’s going to be asteroid.earth. The other thing, we need to add a DNS provider. And it’s just for the — just a text record that we need to create.
Ben: Okay. So we now have it verified. Okay, so let’s go back to our instructions and add it for our cluster name, which is going to be six-one, and we have this domain we need to add. Okay, so now we have the OAuth2 credentials. We have the redirect URL. So let’s come in here. Next thing we need to do is create a service account. This service account is going to be used for obtaining Groups, and this is going to be in GCP.
Creating service account
Ben: Next up, we’re going to create the service account Teleport, so I’m just going to call it teleport-six-one. And then for Role Type, we can just leave this empty. Role and Access — we just leave empty. So we have the account created, six-one, this one here. So the next one is, we leave the Service Account’s Permissions blank and Roles and Admin blank. And then we need to enable accounts delegation. The service account we just created and service G Suite Y delegation, which means later. Next up, we need to download the Service Account JSON. Account page. We add a key. I’m just going to save it to file. And then go on to the next step. So this file needs to be uploaded to the authentication server, and then we’ll reference this later as Google Service Account URI.
Manage API scope
Ben: Next up, we need to do is we need to manage the API scopes. This is a little bit complicated, so we need to go now to our G-Suite domain, so Google Workspace. I’m just logging in as the practice user. So in here, we will come in, and we want to be selecting Security, Settings. And then Advanced Settings, Managed API [inaudible]. So Security, API Controls, and select this Manage Domain Y Delegation. And then in here, when we add here, this client ID has to be the client ID of the service account, not the client ID of the OAuth connector. So let me give you an example. In here, we have 61 Teleport. This Client ID is the incorrect one. You come down here and see the service account that we created. We use this Service ID. So if I come back to do my delegation, and then the OAuth scopes, we have this snippet here.
Creating OIDC Connector in Teleport
Ben: So next up, we’re going to create the OIDC connector. To get started, I’m just going to put this into a scratchpad that we had earlier to get things going. So here’s my scratchpad. We have — this was our client ID, and then this is our secret. We’re going to map roles, claim of groups, and then this is going to link to our Google Groups. Our group email has to be one that exists in our G Suite domain name, so if I come into our app to see which groups we have. Do we have a directory of users and groups? I have one group called Dev. One group called Admins. I’m going to use the Admins group. [email protected] The G Suite, Google Suite Admin, in my case — it’s this user here, which is [email protected] I’m going to upload this file, and this was the one that we downloaded earlier. Issuer is from Google. The redirect URI is going to be the one that we already set, so it’s, in my case, it is six-one-sso.asteroid.earth. And then on Port 443. And we’re scoping for open ID and email.
Ben: Okay. So this is now ready to go. And we’re going to use tctl on the Auth Server. So come to my terminal. I’m going to ssh into this host. So Teleport is installed. Teleport version is 6.1 beta. And then I’m going to create a gsuite.yaml. And paste this in. And you see everything is configured.
tctl create gworkspace.yaml
Ben: So the next thing we need to do is to create this file gsuite-creds.json. And because I don’t need it, we’ll come in here. Here is the service credentials. Okay. And we already have a few roles. In my case, we used the role Admin. Actually, I’m going to — we have a few built-in roles now, so I’m going to actually edit the gsuite.yaml and then make this into access.
Example login with Google button
Ben: And then the last thing we need to use is we use tctl to create this connector. And you can see, ‘gsuite’ has been connected. So now I come here. If I log out, we now have a “Login With Google” button. So we select an account again. And now you can see that I have connected, and everything works successfully. I’ve been now logged in as [email protected] And everything has been configured. This brings me to the end. If you have any questions, please leave comments below. Thank you.