Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Update for CR-5394 SAML google sync teams#373

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Merged
NimRegev merged 3 commits intomasterfromcalssic-google-team-sync
Feb 16, 2022
Merged
Show file tree
Hide file tree
Changes fromall commits
Commits
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
77 changes: 71 additions & 6 deletions_docs/administration/single-sign-on/sso-google.md
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -106,10 +106,16 @@ This concludes the basic SSO setup for Google. For team/group synchronization yo

## Synchronize teams with the Codefresh CLI

In the Codefresh configuration screen there are some optional fields that you can fill, in order to
get team synchronization via the Codefresh CLI. You need to create a service account and [delegate user and group permissions](https://developers.google.com/admin-sdk/directory/v1/guides/delegation) to it.
In the Codefresh configuration screen there are some optional fields that you can fill, to configure team synchronization via the Codefresh CLI.

You can do one of the following:

Create a Service account from Google Console:
* Sync _all users and groups_, by creating a service account and [delegating user and group permissions](https://developers.google.com/admin-sdk/directory/v1/guides/delegation) to it.
* Sync _only users who have been assigned the custom schema_, by creating a custom schema for user accounts, and creating and assigning the user role.


### Sync all users with service account from Google Console
Use this method to sync all users.

{% include image.html
lightbox="true"
Expand DownExpand Up@@ -137,14 +143,73 @@ caption="Creating a JSON key"
max-width="90%"
%}




Save the file locally. Go back to the Codefresh settings and fill in the fields

* `JSON Keyfile` - enter contents of the JSON file
* `Admin email` - The user that has access to `admin.google.com`

### Sync users by assigning custom schema to user accounts
Use this method to sync only those users who have been assigned the user role with the custom schema.

1. Navigate to the [Google Directory API](https://developers.google.com/admin-sdk/directory/v1/reference/schemas/insert?authuser=1).
1. Add the following schema:
```
{
"schemaName": "SSO",
"displayName": "SSO",
"fields": [
{
"fieldType": "STRING",
"fieldName": "UserRole",
"displayName": "UserRole",
"multiValued": true,
"readAccessType": "ADMINS_AND_SELF"
}
]
}
```
1. In the GSuite Admin panel, go to `Apps > SAML`.

{% include image.html
lightbox="true"
file="/images/administration/sso/google/google-gsuite-admin.png"
url="/images/administration/sso/google/google-gsuite-admin.png"
alt="SAML apps in GSuite Admin panel"
caption="SAML apps in GSuite Admin panel"
max-width="40%"
%}

{:start="4"}
1. Expand the Attribute Mapping settings, and add a Role attribute with the above schema for `SSO` and `UserRole`.
1. For every user to be synced, in the User Information screen, scroll to `SSO > UserRole`, and assign the user role.

{% include image.html
lightbox="true"
file="/images/administration/sso/google/google-gusite-user-info.png"
url="/images/administration/sso/google/google-gusite-user-info.png"
alt="User Information screen in GSuite"
caption="User Information screen in GSuite"
max-width="40%"
%}


### Configure sync setting in Codefresh SAML
This is required only if you are syncing users via a custom schema.


1. In the Codefresh UI, open the SAML configuration screen.
1. In the `Sync` field, set the value to the custom schemaName.

{% include image.html
lightbox="true"
file="/images/administration/sso/google/google-cf-saml-setting.png"
url="/images/administration/sso/google/google-cf-saml-setting.png"
alt="SAML Sync Setting in Codefresh for Google GSuite"
caption="SAML Sync Setting in Codefresh for Google GSuite"
max-width="40%"
%}


Now you can [synchronize teams with the Codefresh CLI]({{site.baseurl}}/docs/administration/single-sign-on/sso-setup-oauth2/#syncing-of-teams-after-initial-sso-setup) .


Expand Down
4 changes: 3 additions & 1 deletion_docs/administration/single-sign-on/sso-setup-saml2.md
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -80,10 +80,12 @@ Fill in the fields:
* *IDP Entry* - The SSO endpoint of your Identity Provider. (Ex: For Azure SAML, this is the Login URL)
* *Application Certificate* - The security certificate of your Identity Provider. Paste the value directly on the field. Do not convert to base64 or any other encoding by hand. (Ex: For Azure SAML, this will be Certificate (Base64) and the value needed is between the -----BEGIN ... and -----END... from the downloaded cert)
* *Assertion URL* - `https://g.codefresh.io/api/auth/<your_codefresh_client_name>/callback​` (where ​<your_codefresh_client_name>​ is taken from the SSO configuration you created on the section above. It was automatically generated by Codefresh after saving the SSO settings).
* *Auto Sync users and teams to Codefresh* - This only works for Google / GSuite SAML integration.
When syncing users with custom schema, in the *Sync* field, add the custom schemaName. Otherwise, if you are syncing all users and groups, leave this field empty.


Click the *SAVE* button and make sure to note down the `Client Name` that was autogenerated.

>Notice: When viewing the SAML, there is a check box for Auto Sync users and teams to Codefresh. This only works for Google / GSuite SAML integration.

Then in the settings of your Identity Provider create a new Service Provider and provide the following:

Expand Down
View file
Open in desktop
Loading
Sorry, something went wrong.Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
View file
Open in desktop
Loading
Sorry, something went wrong.Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
View file
Open in desktop
Loading
Sorry, something went wrong.Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
[8]ページ先頭
©2009-2025 Movatter.jp