Single Sign-On with Google

Set up Single Sign-On with Google

Step 1: Set the Base URL

  1. In the Platform sidebar, click on your user, then click Admin Settings. Switch to the Single sign-on tab.

  2. In the Base URL field, enter the https URL for your platform installation and click Submit. This will generally match the value in your browser. It should be the domain or subdomain you host CloudQuery platform on, like https://cloudquery.example.com:

Step 2: Create a SAML app in Google Admin

  1. In a new tab, open https://admin.google.com/

  2. Click Apps → Web and mobile apps → Add app → Add custom SAML app

Step 3: Complete App Details

  1. In the App Name field, enter a name to identify your application with. CloudQuery is a good choice in most cases.

  2. (Optional) Enter a description

  3. (Optional) Provide an App icon for your users. You can use this icon: (Right-click on the image → Save Image As... → Save to your drive. Then upload it in the Google interface.)

  4. Click Continue

Step 4: Download & Upload Metadata

  1. On the next page, click Download Metadata:

This will download an GoogleIDPMetadata.xml file onto your drive. Click Continue.

  1. Upload the XML metadata file in the CloudQuery admin panel by clicking Upload metadata file:

Step 5: Enter ACS URL and Entity ID

Back in the Google Admin interface, enter the value for ACS URL and Entity ID. These values can be copy-pasted from the CloudQuery Platform Admin page:

Copy these values into the highlighted fields:

When done, click Continue on the Google page.

Step 6: Set Attribute Mappings

Next, enter some basic attribute mapping information:

  1. First name → first_name

  2. Last name → last_name

  3. Primary email → email

Step 7: Configure Group Membership

On the same screen, we need to configure which members, if any, will be granted admin access to CloudQuery Platform.

Admin write access allows users to set up and modify syncs, create API keys, add and remove users, and perform other sensitive actions. By default, users that log in via SSO will be granted normal permissions, not admin permissions.

You may want to configure your application so that a specific Google group automatically gets admin permissions. In the example below, we have configured it so that the team-cloud group automatically gets assigned admin. In the CloudQuery admin panel, make sure you set the admin group key to the same value as the app attribute in Google.

Enter exact Google group name and app attribute in the CloudQuery admin panel as well:

When you're done, click Continue in the Google UI.

Please note that at this time, only a single group value is supported. If you wish to have multiple groups map to admins in CloudQuery, we recommend you create a parent group for this purpose.

Step 7: Enable User Access

Now, click on the User access section.

The entire User access block is clickable

Select ON for everyone. Then click SAVE.

Though not covered in this guide, you can also specify which users in your organization should have access by only turning it on for certain groups.

Step 8: Save and Test

Click Save and enable on the CloudQuery admin page:

On the Google Admin page, click TEST SAML LOGIN.

If everything is set up correctly, you should now be logged into CloudQuery Platform with your Google account.

Last updated

Was this helpful?