SSO Configuration

Reblaze provides the ability to log in using SSO (single sign-on). Configuration varies depending on the type of SSO: Okta, Microsoft, or Google.

Set up Okta SSO

Step 1: register on Okta, and create an application

Go to https://{YOUR ACCOUNT}-admin.okta.com/admin/apps/active

Click Add Application → Create New App

Choose Platform: Web, sign-in method OIDC (OAuth 2.0)

Set these attributes:

Sign-in redirect URIs:

https://<planet-name>.dev.app.reblaze.io/auth/okta-oauth2-<planet-name>/authorization-code/callback

Federation Broker mode: disabled

Step 2: Create group

In order to pass the Admin group ID, we need to add a custom attribute to the user groups. Directory > Profile Editor > Apps > Click on Profile

Now map it:

Directory > Profile Editor > Apps > Click on Mappings

Assign group reblazeadmin to your app.

Copy the values for Client ID and a new client secret:

Step 3: Add parameters to Reblaze

On the Reblaze SSO page (System -> SSO Configuration):

Fill in the requested values. For Issuer, use your Okta account. For IDP Group Claim, use the group you created above in Step 2.

Set up Microsoft Azure SSO

Step 1: Go to Azure Portal → Enterprise applications

Step 2. Create the application

Choose + New Application → + Create your own application:

Step 3: Create the SSO app

Select Integrate any other application you don't find in the gallery (Non-gallery)

Step 4: Select SAML method

Go to Single sign-on section and choose SAML:

Step 5: Set up appropriate links

Edit the Basic SAML Configuration:

• Set Azure's Identifier (Entity ID) to https://<planet-name>.dev.app.reblaze.io. Also save a copy of this value somewhere; it will be needed again later.

• Set Azure's Reply URL to https://<planet-name>.dev.app.reblaze.io/auth/azure-saml2-<planet-name>/authorization-code/callback

Step 6: Add a user group claim

Edit user.groups:

Click on +Add a group claim, and choose:

• All groups

• Source attribute: Group ID

Step 7: Add a user as a member of the application:

Step 8: Get admin group ID

Go to Azure Active Directory → Groups, and create a group.

And assign a user to the group:

Step 9: Get SAML 2 data for Reblaze

From Azure's Single sign-on section, copy the Entity ID (entered during a previous step) and Login URL:

And from the Groups Overview section, copy the Object Id. This should be the same ID from Step 8.)

Add these parameters to the Reblaze SSO page. For Reblaze's IDP group claim, use Azure's Object Id.

Set up Google SSO

Step 1: Generate new OAuth credentials

1. Go to Google APIs & Services Credentials: https://console.cloud.google.com/apis/credentials

2. Click Create Credentials (shown below) -> OAuth client ID

Step 2: Configure the new OAuth client ID

1. For Application type, select Web application

2. Specify a Name for this client ID. (This name is only shown in the Google Cloud console.)

Step 3: Add authorized URIs

Define the domains and endpoints used by your planet to communicate with the OAuth 2.0 server:

• Authorized JavaScript origins: https://<planet-name>.dev.app.reblaze.io

• Authorized redirect URIs: https://<planet-name>.dev.app.reblaze.io/auth/google-oauth2-<planet-name>/authorization-code/callback

Step 4: Create and get credentials

1. When you are done with the above steps, select Create. The new client ID will be created and displayed to you.

2. Copy the credentials (client id + client secret) for use in the following steps below.

Step 5: Enable the Admin SDK API

1. Navigate to https://console.developers.google.com

2. In the APIs & Services menu, select Library

3. Search for "Admin SDK API", and select the result. The Admin SDK page will appear.

4. Select ENABLE if it isn't already enabled.

Step 6: Authorize the API client

1. Navigate to admin.google.com

2. Select Security -> Settings

3. At the bottom of the page, select API access control

4. Select Domain wide delegation -> Manage domain wide delegation

5. In the API Client section, select Add New

6. In the Client Name field, enter the client ID from Step 4 above.

7. In the One or More API Scopes field, enter this: https://www.googleapis.com/auth/admin.directory.group.readonly

8. Select Authorize

Step 7: Configure Reblaze SSO

Within the Reblaze console, go to the SSO page (System -> SSO Configuration).

• Enabled: if not already "on", toggle it

• SSO login name: choose a name for display within the console

• Provider: select google

• OAuth2 Client id: enter the client id obtained in Step 4

• OAuth2 Client secret: enter the client secret obtained in Step 4

• Protocol: select oauth2

• JWT token group property name: select email

Step 8: Map groups

Every Reblaze user account has a role, with an Access Level that defines permissions. There are four Access Levels available, with varying capabilities.

When a user logs in via Google SSO, the system uses their Google Groups to determine which role they will have within Reblaze.

In this step, you will define (if necessary) and connect Google groups to Reblaze roles.

1. Determine how many roles are being used within your planet. (Some organizations will use all four, while others might not.)

2. Navigate to https://groups.google.com/my-groups. Consider the Groups that currently exist; would any map well to a Reblaze role? For each role that does not currently have an appropriate Google Group, select Create Group and define one.

3. Return to the Reblaze SSO Configuration page. For each role being used, create a group map with:

   • An IDP Group Claim containing the email associated with the corresponding Google Group

   • The Reblaze role

4. SSO configuration within Reblaze is now complete. User management now consists of ensuring that each user is a member of the appropriate Google Group. For example: a Google Group has been created for editors@reblaze.com, and within Reblaze, this email address is mapped to the role of Editor. Every user who should have Editor permissions can receive them merely by being added to the editors@reblaze.com Google Group.