2023-04-25 16:58:47 +02:00
---
title: Google SSO
slug: /deployment/security/google
---
# Google SSO
Follow the sections in this guide to set up Google SSO.
{% note %}
Security requirements for your **production** environment:
- **DELETE** the admin default account shipped by OM in case you had [Basic Authentication ](/deployment/security/basic-auth )
enabled before configuring the authentication with Google SSO.
- **UPDATE** the Private / Public keys used for the [JWT Tokens ](/deployment/security/enable-jwt-tokens ). The keys we provide
by default are aimed only for quickstart and testing purposes. They should NEVER be used in a production installation.
{% /note %}
## Create Server Credentials
### Step 1: Create the Account
- Go to [Create Google Cloud Account ](https://console.cloud.google.com/ )
- Click on `Create Project`
2023-05-16 08:30:15 +02:00
{% image src="/images/v0.13.3/deployment/security/google/create-account.png" alt="create-account" caption="Create a New Account" /%}
2023-04-25 16:58:47 +02:00
### Step 2: Create a New Project
Enter the **Project name** .
Enter the parent organization or folder in the **Location box** . That resource will be the hierarchical parent of the new project.
Click **Create** .
2023-05-16 08:30:15 +02:00
{% image src="/images/v0.13.3/deployment/security/google/create-project.png" alt="create-project" caption="Create a New Project" /%}
2023-04-25 16:58:47 +02:00
### Step 3: How to Configure OAuth Consent
- Select the project you created above and click on **APIs & Services** on the left-side panel.
2023-05-16 08:30:15 +02:00
{% image src="/images/v0.13.3/deployment/security/google/configure-oauth-consent.png" alt="configure-oauth-consent" /%}
2023-04-25 16:58:47 +02:00
- Click on the **OAuth Consent Screen** available on the left-hand side panel.
- Choose User Type **Internal** .
2023-05-16 08:30:15 +02:00
{% image src="/images/v0.13.3/deployment/security/google/select-user-type.png" alt="select-user-type" /%}
2023-04-25 16:58:47 +02:00
- Once the user type is selected, provide the **App Information** and other details.
- Click **Save and Continue** .
2023-05-16 08:30:15 +02:00
{% image src="/images/v0.13.3/deployment/security/google/save-app-information.png" alt="save-app-information" /%}
2023-04-25 16:58:47 +02:00
- On the **Scopes Screen** , Click on **ADD OR REMOVE SCOPES** and select the scopes.
- Once done click on **Update** .
2023-05-16 08:30:15 +02:00
{% image src="/images/v0.13.3/deployment/security/google/scopes-screen.png" alt="scopes-screen" /%}
2023-04-25 16:58:47 +02:00
- Click **Save and Continue** .
2023-05-16 08:30:15 +02:00
{% image src="/images/v0.13.3/deployment/security/google/save-edit-app-registration.png" alt="save-edit-app-registration" /%}
2023-04-25 16:58:47 +02:00
- Click on **Back to Dashboard** .
2023-05-16 08:30:15 +02:00
{% image src="/images/v0.13.3/deployment/security/google/back-to-dashboard.png" alt="back-to-dashboard" /%}
{% image src="/images/v0.13.3/deployment/security/google/back-to-dashboard-2.png" alt="back-to-dashboard" /%}
2023-04-25 16:58:47 +02:00
### Step 4: Create Credentials for the Project
- Once the OAuth Consent is configured, click on **Credentials** available on the left-hand side panel.
2023-05-16 08:30:15 +02:00
{% image src="/images/v0.13.3/deployment/security/google/create-credentials.png" alt="create-credentials" /%}
2023-04-25 16:58:47 +02:00
- Click on **Create Credentials**
- Select **OAuth client ID** from the dropdown.
2023-05-16 08:30:15 +02:00
{% image src="/images/v0.13.3/deployment/security/google/select-outh-client-id.png" alt="cselect-outh-client-id" /%}
2023-04-25 16:58:47 +02:00
- Once selected, you will be asked to select the **Application type** . Select **Web application** .
2023-05-16 08:30:15 +02:00
{% image src="/images/v0.13.3/deployment/security/google/select-web-application.png" alt="select-web-application" /%}
2023-04-25 16:58:47 +02:00
After selecting the **Application Type** , name your project and give the authorized URIs:
- domain/callback
- domain/silent-callback
2023-05-16 08:30:15 +02:00
{% image src="/images/v0.13.3/deployment/security/google/authorized-urls.png" alt="authorized-urls" /%}
2023-04-25 16:58:47 +02:00
- Click **Create**
- You will get the credentials
2023-05-16 08:30:15 +02:00
{% image src="/images/v0.13.3/deployment/security/google/get-the-credentials.png" alt="get-the-credentials" /%}
2023-04-25 16:58:47 +02:00
### Step 5: Where to Find the Credentials
- Go to **Credentials**
- Click on the **pencil icon (Edit OAuth Client)** on the right side of the screen
2023-05-16 08:30:15 +02:00
{% image src="/images/v0.13.3/deployment/security/google/find-credentials.png" alt="find-credentials" /%}
2023-04-25 16:58:47 +02:00
- You will find the **Client ID** and **Client Secret** in the top right corner
2023-05-16 08:30:15 +02:00
{% image src="/images/v0.13.3/deployment/security/google/find-clientid-and-secret.png" alt="find-clientid-and-secret" /%}
2023-04-25 16:58:47 +02:00
## Create Service Account (optional)
This is a guide to create ingestion bot service account. This step is optional if you configure the ingestion-bot with
the JWT Token, you can follow the documentation of [Enable JWT Tokens ](/deployment/security/enable-jwt-tokens ).
### Step 1: Create Service-Account
- Navigate to your project dashboard
2023-05-16 08:30:15 +02:00
{% image src="/images/v0.13.3/deployment/security/google/create-service-account.png" alt="create-service-account" /%}
2023-04-25 16:58:47 +02:00
- Click on **Credentials** on the left side panel
2023-05-16 08:30:15 +02:00
{% image src="/images/v0.13.3/deployment/security/google/click-credentials.png" alt="click-credentials" /%}
2023-04-25 16:58:47 +02:00
- Click on **Manage service accounts** available on the center-right side.
2023-05-16 08:30:15 +02:00
{% image src="/images/v0.13.3/deployment/security/google/manage-service-accounts.png" alt="manage-service-accounts" /%}
2023-04-25 16:58:47 +02:00
- Click on **CREATE SERVICE ACCOUNT**
2023-05-16 08:30:15 +02:00
{% image src="/images/v0.13.3/deployment/security/google/click-save-create-service-account.png" alt="click-save-create-service-account" /%}
2023-04-25 16:58:47 +02:00
- Provide the required service account details.
{% note %}
Ensure that the Service Account ID is **ingestion-bot** and click on **CREATE AND CONTINUE** . If you chose a different Service Account Id, add it to the default bots in OpenMetadata Server Configuration -> authorizerConfig section
{% /note %}
2023-05-16 08:30:15 +02:00
{% image src="/images/v0.13.3/deployment/security/google/required-account-details.png" alt="required-account-details" /%}
2023-04-25 16:58:47 +02:00
- Click on **Select a role** and give the **Owner** role. Then click **Continue** .
2023-05-16 08:30:15 +02:00
{% image src="/images/v0.13.3/deployment/security/google/select-owner-role.png" alt="select-owner-role" /%}
2023-04-25 16:58:47 +02:00
- Click **DONE**
2023-05-16 08:30:15 +02:00
{% image src="/images/v0.13.3/deployment/security/google/click-done-service-account.png" alt="click-done-service-account" /%}
2023-04-25 16:58:47 +02:00
- Now you should see your service account listed.
2023-05-16 08:30:15 +02:00
{% image src="/images/v0.13.3/deployment/security/google/listed-service-account.png" alt="listed-service-account" /%}
2023-04-25 16:58:47 +02:00
### Step 2: Enable Domain-Wide Delegation
- Click on the service account in the list.
2023-05-16 08:30:15 +02:00
{% image src="/images/v0.13.3/deployment/security/google/enable-domain-wide-delegation.png" alt="enable-domain-wide-delegation" /%}
2023-04-25 16:58:47 +02:00
- On the details page, click on **SHOW DOMAIN-WIDE DELEGATION**
2023-05-16 08:30:15 +02:00
{% image src="/images/v0.13.3/deployment/security/google/show-domain-wide-delegation.png" alt="show-domain-wide-delegation" /%}
2023-04-25 16:58:47 +02:00
- Enable Google Workspace Domain-wide Delegation
- Click on **SAVE**
2023-05-16 08:30:15 +02:00
{% image src="/images/v0.13.3/deployment/security/google/enable-google-domain-wide-delegation.png" alt="enable-google-domain-wide-delegation" /%}
2023-04-25 16:58:47 +02:00
### How to Generate Private-Key/Service-Account JSON File
- Once done with the above steps, click on **KEYS** available next to the **DETAILS** tab.
- Click on **ADD KEY** and select **Create a new key** .
2023-05-16 08:30:15 +02:00
{% image src="/images/v0.13.3/deployment/security/google/create-new-key.png" alt="create-new-key" /%}
2023-04-25 16:58:47 +02:00
- Select the format. The **JSON format** is recommended.
- Next, click on **CREATE**
2023-05-16 08:30:15 +02:00
{% image src="/images/v0.13.3/deployment/security/google/save-json.png" alt="save-json" /%}
2023-04-25 16:58:47 +02:00
- The private-key/service-account JSON file will be downloaded.
After the applying these steps, you can update the configuration of your deployment:
{%inlineCalloutContainer%}
{%inlineCallout
icon="celebration"
bold="Docker Security"
href="/deployment/security/google/docker" %}
Configure Auth0 SSO for your Docker Deployment.
{%/inlineCallout%}
{%inlineCallout
icon="storage"
bold="Bare Metal Security"
href="/deployment/security/google/bare-metal" %}
Configure Auth0 SSO for your Bare Metal Deployment.
{%/inlineCallout%}
{%inlineCallout
icon="fit_screen"
bold="Kubernetes Security"
href="/deployment/security/google/kubernetes" %}
Configure Auth0 SSO for your Kubernetes Deployment.
{%/inlineCallout%}
{%/inlineCalloutContainer%}
## Configure Ingestion
After everything has been set up, you will need to configure your workflows if you are running them via the
`metadata` CLI or with any custom scheduler.
When setting up the YAML config for the connector, update the `workflowConfig` as follows:
```yaml
workflowConfig:
openMetadataServerConfig:
hostPort: "http://localhost:8585/api"
authProvider: google
securityConfig:
secretKey: "{path-to-json-creds}"
```