-
Notifications
You must be signed in to change notification settings - Fork 186
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
docs: add quickstart & document google provider setup #23
Conversation
It is used to provide single-sign-on authentication and authorization for internal web applications behind it by ensuring that only people in a specific email domain (and optionally users in specific Google Groups) can access them. It consists of two processes - `sso-auth` and `sso-proxy`. | ||
It depends on Google as its authoritative OAuth2 provider, and authenticates | ||
users against a specific email domain. Further authorization based on Google | ||
Group membership can be required on a per-upstream basis. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I tweaked the README here because there was some redundancy in the opening two paragraphs, which both gave a brief intro to what sso is!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good!
# =========================================================================== | ||
sso-proxy: | ||
image: buzzfeed/sso:latest # change this to `build: ..` to try local changes | ||
entrypoint: /bin/sso-proxy |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@danbf I'm pretty sure this is an indication that you're not actually running the latest docker image
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nvm, yup: this fixed it docker rm -f $(docker ps -aq); docker rmi -f $(docker image list -q)
|
||
sso-auth: | ||
image: buzzfeed/sso:latest # change this to `build: ..` to try local changes | ||
entrypoint: /bin/sso-auth |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nvm, yup: this fixed it docker rm -f $(docker ps -aq); docker rmi -f $(docker image list -q)
- 'sso-auth.localtest.me:172.20.0.1' | ||
|
||
sso-auth: | ||
image: buzzfeed/sso:latest # change this to `build: ..` to try local changes |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can we set this to buzzfeed/sso:release-1.0.0
?
# - http://httpbin.sso.localtest.me | ||
# =========================================================================== | ||
sso-proxy: | ||
image: buzzfeed/sso:latest # change this to `build: ..` to try local changes |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can we set this to buzzfeed/sso:release-1.0.0
?
docs/google_provider_setup.md
Outdated
- **Service account name**: Any appropriate name is fine. We recommend `sso-authenticator`. | ||
- **Service account ID**: Google will generate this as you type the "account name". We recommend | ||
leaving as-is. | ||
- **Project rol**: No project roles are required for `sso`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Project role
missing e
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good eye, fixed!
This uses docker-compose to spin up an example deployment of sso and two protected upstreams.
bdff60c
to
f859809
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
This builds on @danbf and @katzdm's work in #18 to provide:
docker-compose
to spin up an example deployment ofsso
and two secured upstream servicesRFR @buzzfeed/infra-security