OpenMetadata/openmetadata-docs/content/v0.13.3/deployment/security/google/index.md

title	slug
Google SSO	/deployment/security/google

Google SSO

Follow the sections in this guide to set up Google SSO.

{% note %}

Security requirements for your production environment:

• DELETE the admin default account shipped by OM in case you had Basic Authentication enabled before configuring the authentication with Google SSO.
• UPDATE the Private / Public keys used for the JWT Tokens. The keys we provide by default are aimed only for quickstart and testing purposes. They should NEVER be used in a production installation.

{% /note %}

Create Server Credentials

Step 1: Create the Account

• Go to Create Google Cloud Account
• Click on Create Project

{% image src="/images/v0.13.3/deployment/security/google/create-account.png" alt="create-account" caption="Create a New Account" /%}

Step 2: Create a New Project

Enter the Project name. Enter the parent organization or folder in the Location box. That resource will be the hierarchical parent of the new project. Click Create. {% image src="/images/v0.13.3/deployment/security/google/create-project.png" alt="create-project" caption="Create a New Project" /%}

Step 3: How to Configure OAuth Consent

• Select the project you created above and click on APIs & Services on the left-side panel. {% image src="/images/v0.13.3/deployment/security/google/configure-oauth-consent.png" alt="configure-oauth-consent" /%}

• Click on the OAuth Consent Screen available on the left-hand side panel.

• Choose User Type Internal. {% image src="/images/v0.13.3/deployment/security/google/select-user-type.png" alt="select-user-type" /%}

• Once the user type is selected, provide the App Information and other details.

• Click Save and Continue. {% image src="/images/v0.13.3/deployment/security/google/save-app-information.png" alt="save-app-information" /%}

• On the Scopes Screen, Click on ADD OR REMOVE SCOPES and select the scopes.

• Once done click on Update. {% image src="/images/v0.13.3/deployment/security/google/scopes-screen.png" alt="scopes-screen" /%}

• Click Save and Continue. {% image src="/images/v0.13.3/deployment/security/google/save-edit-app-registration.png" alt="save-edit-app-registration" /%}

• Click on Back to Dashboard. {% image src="/images/v0.13.3/deployment/security/google/back-to-dashboard.png" alt="back-to-dashboard" /%} {% image src="/images/v0.13.3/deployment/security/google/back-to-dashboard-2.png" alt="back-to-dashboard" /%}

Step 4: Create Credentials for the Project

• Once the OAuth Consent is configured, click on Credentials available on the left-hand side panel. {% image src="/images/v0.13.3/deployment/security/google/create-credentials.png" alt="create-credentials" /%}

• Click on Create Credentials

• Select OAuth client ID from the dropdown. {% image src="/images/v0.13.3/deployment/security/google/select-outh-client-id.png" alt="cselect-outh-client-id" /%}

• Once selected, you will be asked to select the Application type. Select Web application. {% image src="/images/v0.13.3/deployment/security/google/select-web-application.png" alt="select-web-application" /%}

After selecting the Application Type, name your project and give the authorized URIs:

• domain/callback

• domain/silent-callback {% image src="/images/v0.13.3/deployment/security/google/authorized-urls.png" alt="authorized-urls" /%}

• Click Create

• You will get the credentials {% image src="/images/v0.13.3/deployment/security/google/get-the-credentials.png" alt="get-the-credentials" /%}

Step 5: Where to Find the Credentials

• Go to Credentials

• Click on the pencil icon (Edit OAuth Client) on the right side of the screen {% image src="/images/v0.13.3/deployment/security/google/find-credentials.png" alt="find-credentials" /%}

• You will find the Client ID and Client Secret in the top right corner {% image src="/images/v0.13.3/deployment/security/google/find-clientid-and-secret.png" alt="find-clientid-and-secret" /%}

Create Service Account (optional)

This is a guide to create ingestion bot service account. This step is optional if you configure the ingestion-bot with the JWT Token, you can follow the documentation of Enable JWT Tokens.

Step 1: Create Service-Account

• Navigate to your project dashboard {% image src="/images/v0.13.3/deployment/security/google/create-service-account.png" alt="create-service-account" /%}

• Click on Credentials on the left side panel {% image src="/images/v0.13.3/deployment/security/google/click-credentials.png" alt="click-credentials" /%}

• Click on Manage service accounts available on the center-right side. {% image src="/images/v0.13.3/deployment/security/google/manage-service-accounts.png" alt="manage-service-accounts" /%}

• Click on CREATE SERVICE ACCOUNT {% image src="/images/v0.13.3/deployment/security/google/click-save-create-service-account.png" alt="click-save-create-service-account" /%}

• Provide the required service account details.

{% note %}

Ensure that the Service Account ID is ingestion-bot and click on CREATE AND CONTINUE. If you chose a different Service Account Id, add it to the default bots in OpenMetadata Server Configuration -> authorizerConfig section

{% /note %} {% image src="/images/v0.13.3/deployment/security/google/required-account-details.png" alt="required-account-details" /%}

• Click on Select a role and give the Owner role. Then click Continue. {% image src="/images/v0.13.3/deployment/security/google/select-owner-role.png" alt="select-owner-role" /%}

• Click DONE {% image src="/images/v0.13.3/deployment/security/google/click-done-service-account.png" alt="click-done-service-account" /%}

• Now you should see your service account listed. {% image src="/images/v0.13.3/deployment/security/google/listed-service-account.png" alt="listed-service-account" /%}

Step 2: Enable Domain-Wide Delegation

• Click on the service account in the list. {% image src="/images/v0.13.3/deployment/security/google/enable-domain-wide-delegation.png" alt="enable-domain-wide-delegation" /%}

• On the details page, click on SHOW DOMAIN-WIDE DELEGATION {% image src="/images/v0.13.3/deployment/security/google/show-domain-wide-delegation.png" alt="show-domain-wide-delegation" /%}

• Enable Google Workspace Domain-wide Delegation

• Click on SAVE {% image src="/images/v0.13.3/deployment/security/google/enable-google-domain-wide-delegation.png" alt="enable-google-domain-wide-delegation" /%}

How to Generate Private-Key/Service-Account JSON File

• Once done with the above steps, click on KEYS available next to the DETAILS tab.

• Click on ADD KEY and select Create a new key. {% image src="/images/v0.13.3/deployment/security/google/create-new-key.png" alt="create-new-key" /%}

• Select the format. The JSON format is recommended.

• Next, click on CREATE {% image src="/images/v0.13.3/deployment/security/google/save-json.png" alt="save-json" /%}

• The private-key/service-account JSON file will be downloaded.

After the applying these steps, you can update the configuration of your deployment:

{%inlineCalloutContainer%}

{%inlineCallout icon="celebration" bold="Docker Security" href="/deployment/security/google/docker" %} Configure Auth0 SSO for your Docker Deployment. {%/inlineCallout%}

{%inlineCallout icon="storage" bold="Bare Metal Security" href="/deployment/security/google/bare-metal" %} Configure Auth0 SSO for your Bare Metal Deployment. {%/inlineCallout%}

{%inlineCallout icon="fit_screen" bold="Kubernetes Security" href="/deployment/security/google/kubernetes" %} Configure Auth0 SSO for your Kubernetes Deployment. {%/inlineCallout%}

{%/inlineCalloutContainer%}

Configure Ingestion

After everything has been set up, you will need to configure your workflows if you are running them via the metadata CLI or with any custom scheduler.

When setting up the YAML config for the connector, update the workflowConfig as follows:

workflowConfig:
  openMetadataServerConfig:
    hostPort: "http://localhost:8585/api"
    authProvider: google
    securityConfig:
      secretKey: "{path-to-json-creds}"