90ab756de1
Simplified, and de-duplicated many of the configuration settings. Removed configuration settings that could be deduced from other settings. Added some basic documentation. Removed the (duplicate?) user email domain validation check in proxy. Removed the ClientID middleware check. Added a shared key option to be used as a PSK instead of using the IDPs ClientID and ClientSecret. Removed the CookieSecure setting as we only support secure. Added a letsencrypt script to generate a wildcard certificate. Removed the argument in proxy's constructor that allowed arbitrary fucntions to be passed in as validators. Updated proxy's authenticator client to match the server implementation of just using a PSK. Moved debug-mode logging into the log package. Removed unused approval prompt setting. Fixed a bug where identity provider urls were hardcoded. Removed a bunch of unit tests. There have been so many changes many of these tests don't make sense and will need to be re-thought.
4.4 KiB
| title | description |
|---|---|
| Identity Providers | This article describes how to connect pomerium to third-party identity providers / single-sign-on services. You will need to generate keys, copy these into your promerium settings, and enable the connection. |
Identity Provider Configuration
This article describes how to configure pomerium to use a third-party identity service for single-sign-on.
There are a few configuration steps required for identity provider integration. Most providers support OpenID Connect which provides a standardized interface for authentication. In this guide we'll cover how to do the following for each identity provider:
- Establish a Redirect URL with the identity provider which is called after authentication.
- Generate a Client ID and Client Secret.
- Configure pomerium to use the Client ID and Client Secret keys.
Log in to your Google account and go to the APIs & services. Navigate to Credentials using the left-hand menu.
On the Credentials page, click Create credentials and choose OAuth Client ID.
On the Create Client ID page, select Web application. In the new fields that display, set the following parameters:
| Field | Description |
|---|---|
| Name | The name of your web app |
| Authorized redirect URIs | https://${redirect-url}/oauth2/callback |
Click Create to proceed.
Your Client ID and Client Secret will be displayed:
Set Client ID and Client Secret in Pomerium's settings. Your environmental variables should look something like this.
export REDIRECT_URL="https://sso-auth.corp.beyondperimeter.com/oauth2/callback"
export IDP_PROVIDER="google"
export IDP_PROVIDER_URL="https://accounts.google.com"
export IDP_CLIENT_ID="yyyy.apps.googleusercontent.com"
export IDP_CLIENT_SECRET="xxxxxx"
Okta
Log in to your Okta account and head to your Okta dashboard. Select Applications on the top menu. On the Applications page, click the Add Application button to create a new app.
On the Create New Application page, select the Web for your application.
Next, provide the following information for your application settings:
| Field | Description |
|---|---|
| Name | The name of your application. |
| Base URIs (optional) | The domain(s) of your application. |
| Login redirect URIs | https://${redirect-url}/oauth2/callback. |
| Group assignments (optional) | The user groups that can sign in to this application. |
| Grant type allowed | You must enable Refresh Token. |
Click Done to proceed. You'll be taken to the General page of your app.
Go to the General page of your app and scroll down to the Client Credentials section. This section contains the Client ID and Client Secret to be used in the next step.
At this point, you will configure the integration from the Pomerium side. Your environmental variables should look something like this.
export REDIRECT_URL="https://sso-auth.corp.beyondperimeter.com/oauth2/callback"
export IDP_PROVIDER="okta"
export IDP_PROVIDER_URL="https://dev-108295-admin.oktapreview.com/"
export IDP_CLIENT_ID="0oairksnr0C0fEJ7l0h7"
export IDP_CLIENT_SECRET="xxxxxx"