SSO Configuration
Reblaze provides the ability to log in using SSO (single sign-on). Configuration varies depending on the type of SSO: Okta, Microsoft, or Google.
Set up Okta SSO
Step 1: register on Okta, and create an application
Go to https://{YOUR ACCOUNT}-admin.okta.com/admin/apps/active
Click Add Application
→ Create New App
Choose Platform: Web
, sign-in method OIDC
(OAuth 2.0)
Set these attributes:
Sign-in redirect URIs:
https://<planet-name>.dev.app.reblaze.io/auth/okta-oauth2-<planet-name>/authorization-code/callback
Federation Broker mode: disabled
Step 2: Create group
In order to pass the Admin group ID, we need to add a custom attribute to the user groups.
Directory
> Profile Editor
> Apps
> Click on Profile
Now map it:
Directory
> Profile Editor
> Apps
> Click on Mappings
Assign group reblazeadmin
to your app.
Copy the values for Client ID
and a new client secret:
Step 3: Add parameters to Reblaze
On the Reblaze SSO page (System -> SSO Configuration):
Fill in the requested values. For Issuer
, use your Okta account. For IDP Group Claim
, use the group you created above in Step 2.
Set up Microsoft Azure SSO
Step 1: Go to Azure Portal → Enterprise applications
Enterprise applications
Step 2. Create the application
Choose + New Application
→ + Create your own application
:
Step 3: Create the SSO app
Select Integrate any other application you don't find in the gallery (Non-gallery)
Step 4: Select SAML method
Go to Single sign-on
section and choose SAML
:
Step 5: Set up appropriate links
Edit the Basic SAML Configuration
:
Set Azure's
Identifier (Entity ID)
tohttps://<planet-name>.dev.app.reblaze.io.
Also save a copy of this value somewhere; it will be needed again later.Set Azure's
Reply URL
tohttps://<planet-name>.dev.app.reblaze.io/auth/azure-saml2-<planet-name>/authorization-code/callback
Step 6: Add a user group claim
Edit user.groups
:
Click on +
Add a group claim
, and choose:
All groups
Source attribute:
Group ID
Step 7: Add a user as a member of the application:
Step 8: Get admin group ID
Go to Azure Active Directory
→ Groups
, and create a group.
And assign a user to the group:
Step 9: Get SAML 2 data for Reblaze
From Azure's Single sign-on
section, copy the Entity ID
(entered during a previous step) and Login URL
:
And from the Groups Overview
section, copy the Object Id
. This should be the same ID from Step 8.)
Add these parameters to the Reblaze SSO page. For Reblaze's IDP group claim
, use Azure's Object Id
.
Set up Google SSO
Step 1: Generate new OAuth credentials
Go to Google APIs & Services Credentials: https://console.cloud.google.com/apis/credentials
Click Create Credentials (shown below) -> OAuth client ID
Step 2: Configure the new OAuth client ID
For Application type, select Web application
Specify a Name for this client ID. (This name is only shown in the Google Cloud console.)
Step 3: Add authorized URIs
Define the domains and endpoints used by your planet to communicate with the OAuth 2.0 server:
Authorized JavaScript origins:
https://<planet-name>.dev.app.reblaze.io
Authorized redirect URIs:
https://<planet-name>.dev.app.reblaze.io/auth/google-oauth2-<planet-name>/authorization-code/callback
Step 4: Create and get credentials
When you are done with the above steps, select Create. The new client ID will be created and displayed to you.
Copy the credentials (client id + client secret) for use in the following steps below.
Step 5: Enable the Admin SDK API
Navigate to https://console.developers.google.com
In the APIs & Services menu, select Library
Search for "Admin SDK API", and select the result. The Admin SDK page will appear.
Select ENABLE if it isn't already enabled.
Step 6: Authorize the API client
Navigate to admin.google.com
Select Security -> Settings
At the bottom of the page, select API access control
Select Domain wide delegation -> Manage domain wide delegation
In the API Client section, select Add New
In the Client Name field, enter the client ID from Step 4 above.
In the One or More API Scopes field, enter this:
https://www.googleapis.com/auth/admin.directory.group.readonly
Select Authorize
Step 7: Configure Reblaze SSO
Within the Reblaze console, go to the SSO page (System -> SSO Configuration).
Enabled: if not already "on", toggle it
SSO login name: choose a name for display within the console
Provider: select
google
OAuth2 Client id: enter the client id obtained in Step 4
OAuth2 Client secret: enter the client secret obtained in Step 4
Protocol: select
oauth2
JWT token group property name: select
email
Step 8: Map groups
Every Reblaze user account has a role, with an Access Level that defines permissions. There are four Access Levels available, with varying capabilities.
When a user logs in via Google SSO, the system uses their Google Groups to determine which role they will have within Reblaze.
In this step, you will define (if necessary) and connect Google groups to Reblaze roles.
Determine how many roles are being used within your planet. (Some organizations will use all four, while others might not.)
Navigate to https://groups.google.com/my-groups. Consider the Groups that currently exist; would any map well to a Reblaze role? For each role that does not currently have an appropriate Google Group, select Create Group and define one.
Return to the Reblaze SSO Configuration page. For each role being used, create a group map with:
An IDP Group Claim containing the email associated with the corresponding Google Group
The Reblaze role
SSO configuration within Reblaze is now complete. User management now consists of ensuring that each user is a member of the appropriate Google Group. For example: a Google Group has been created for
editors@reblaze.com
, and within Reblaze, this email address is mapped to the role ofEditor
. Every user who should have Editor permissions can receive them merely by being added to theeditors@reblaze.com
Google Group.
Last updated