Configure G Suite as an OIDC Identity Provider

Use G Suite for identity management with StackRox.

Follow the instructions here to use G Suite as a Single sign-on (SSO) provider for the StackRox Kubernetes Security Platform.

Prerequisites

Before you begin, you must have:

  • appropriate permissions to configure both StackRox and G Suite.
  • administrator-level access to your organization’s G Suite account to create a new project (recommended), or
  • permissions to create and configure OAuth 2.0 credentials for an existing project.

See the OpenID Connect page for more details.

Set up OAuth 2.0 credentials for your GCP project

We recommend that you create a new project for managing access to the StackRox Kubernetes Security Platform. To create a new Google Cloud Platform (GCP) project, see the official Google documentation topic creating and managing projects.

After you’ve set up a new project,

  1. Open the Credentials page in the Google API Console.

  2. Verify the project name listed in the upper left corner (near the logo) to make sure that you’re using the correct project.

  3. To create new credentials, select Create Credentials > OAuth client ID.

  4. Choose Web application as the Application type.

  5. In the Name box, enter a name for the application, for example, StackRox.

  6. In the Authorized redirect URIs box, enter https://<stackrox-hostname>:<port-number>/sso/providers/oidc/callback.

    • replace <stackrox-hostname> with the hostname on which you expose your StackRox Central instance.
    • replace <port-number> with the port number on which you expose Central. If you are using the standard HTTPS port (443), you can omit the port number.
  7. Select Create. This creates an application and credentials and redirects you back to the credentials page.

  8. An information box opens, showing details about the newly created application. Close the information box.

  9. Copy and save the Client ID that ends with .apps.googleusercontent.com. You can check this client ID by using the Google API Console.

  10. Select OAuth consent screen from the navigation menu on the left. The OAuth consent screen configuration is valid for the entire GCP project, and not only to the application you created in the previous steps. If you already have an OAuth consent screen configured in this project and want to apply different settings for the StackRox Kubernetes Security Platform login, please create a new GCP project.

    On the OAuth consent screen page:

    1. choose the Application type as Internal. If you select Public, anyone with a Google account can sign in.
    2. enter a descriptive Application name. This name is shown to users on the consent screen when they sign in. For example, StackRox or Organization SSO for StackRox Kubernetes Security Platform.
    3. leave Application logo as blank or you can get our logo from the Media Kit.
    4. verify that the Scopes for Google APIs only lists email, profile, and openid scopes. Only these scopes are required for SSO. If you grant additional scopes it increases risk of exposing sensitive data.

Configure StackRox

After you’ve set up OAuth credentials for your GCP project, follow the instructions on the configure OIDC identity provider page to use G Suite for Single sign-on.

Questions?

We're happy to help! Reach out to us to discuss questions, issues, or feature requests.

© 2021 StackRox Inc. All rights reserved.