Google Sign-In

[chillfox]

Please add support for using google apps accounts for logon.

[matt-land]

So this feature was added? Or just the label was removed?

[vincent99]

release/future label was converted to milestone Unscheduled.

1.2 will include moving auth out of cattle and into a standalone golang project that will be more pluggable. So we could potentially look at this after that, though TBH it seems like there is minimal community interest (and zero customer interest that I'm aware of).

[sjwoodr]

I would love to have this feature. All of the team has a Google Apps login but not everyone has a GitHub user. Plus, when a developer leaves the company, they retain their GitHub user -- they would not retain access to their Google Apps login.

+1 this feature

[AtomiclyCursed]

For the same reason as @sjwoodr it would be nice to have, I wouldn't expect permissions to be handed on the Google Apps side, just the oauth and rancher to handle permissions, even if it was just domain locked e.g. @example.com

[johnrengelman]

Also would be interested in this for customer uses.
Especially now that GitHub is adding SAML integration to their public offering (https://github.com/universe-2016).

This biggest issue here is account deprovisioning as you have to remove someone from the GitHub org which in my experience is something that doesn't quite happen in lock step with some leaving.

[matesitox]

+1 We have lots of gapps accounts using rancher, makes account managment much easier!

[robbatt]

+1 We would also like to see this

[arunkjn]

Hey guys, do you have plans to release this in the near future? We use g apps for our enterprise and would love to see our rancher cluster integrated with it.

[kylegoch]

@vincent99 any status update on this? Been a few months since an update and was curious.

[vincent99]

Nothing new, we still have no plans to add this without a customer driving it...

[kylegoch]

Hmm, noted. We are in the process of eval'ing Rancher and noticed it missing. It would make our lives much easier. We may be a customer if we go Rancher. So will definitely request if that happens :-)

[vanhaeren]

+1 from another potential customer

[kylegoch]

Since it's apparently customer driven, is it not possible to just have Universal SAML? We were excited the release notes for 2.1.0 mentioned SAML. However after reading the docs, it's only for Ping Identity and KeyCloak. Which are services I have never heard of before, but some one must be using them enough to warrant the work.

G Suite integration would definitely be an easy win for the community, but understand if you are still abiding by only adding Auth providers for a customer request.

[shmulikah]

Love to see this feature in a future release.
We have SSO across all of our stack, except Rancher :(
Supporting SAML will be enough

[trollr]

If you want to use GSuite SAML you can use AD FS + https://mattslifebytes.com/2018/08/15/using-okta-and-other-saml-idps-with-rancher-2-0/

[mrajashree]

For Google Oauth #10053

[mrajashree]

Backend for this is ready

[sowmyav27]

Verified this on rancher:master-head

• Google Auth is enabled.
• This feature can be enabled/disabled.
• To enable this, input fields - Admin Email, Domain name, OAuth creds and Service account creds.
• User is able to enable and disable google auth.
• On enabling google auth from Rancher UI, user will be redirected to google page and be prompted to enter username and password. User will enter valid details and click on Allow.
• User gets redirected back to Rancher UI with Google Auth enabled.

[mr-karan]

@sowmyav27 Testing out the master-head release, is there any doc on what Role to give for the service account? I am getting the following error which I presume is because of wrong permissions:

TestAndApply Error
[Google OAuth] testAndApply: server error while authenticating: Get https://www.googleapis.com/admin/directory/v1/groups?alt=json&domain=redacted.com&prettyPrint=false&userKey=redacted: oauth2: cannot fetch token: 401 Unauthorized Response: { "error": "unauthorized_client", "error_description": "Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested." }

Also, what should be value of Admin email and Domain name in the rancher UI?

Thanks for the PR though! :D

[sowmyav27]

@mr-karan There is an issue related to providing more instructions on the UI for the Service Account creds. #21389

@mrajashree Could you add your comments - as to the exact instructions to set up a Service Account and get the related creds?

[mr-karan]

@mrajashree Hi! Can you please let me know the instructions to create a SA, would be really helpful! I am stuck on this and would love to go live with the Google Auth 👍

Again, thanks for the PR

[mr-karan]

@sowmyav27 @mrajashree Hi, can I have your attention on this please? :) I upgraded to the latest master release to try this feature, but due to the above mentioned roadblocks, unable to get this rolling. Do you mind documenting the instructions to setup google auth please?

[mrajashree]

@mr-karan The docs aren't up yet but this gist contains the instructions https://gist.github.com/mrajashree/9dc4cd8e11a9e813a96e713964c74ca9

Please let us know if that works :)