Google IAM setup example#

In addition to providing out-of-the-box support for LDAP, Active Directory, SAML and Kerberos, Anaconda Enterprise also enables you to configure the platform to use other external identity providers to authenticate users. If your enterprise uses Google’s Cloud IAM (Identity and Access Management) to manage access to Google Cloud Platform (GCP) resources, for example, you can use the following process to configure the platform to use Cloud IAM as your identity provider. This will allow users to log in to the platform using their Google (or G-Suite) credentials.

Before you begin:


Enabling the Google+ API#

With your project selected in Google Cloud Platform:

  1. Select APIs & Services from the menu on the left.

  2. Select ENABLE APIs AND SERVICES, then locate and select the Google+ API card in the API library.

  3. Click ENABLE.

Now you can create credentials for the platform to access your Google Cloud project.


Creating Google+ credentials#

With your project selected in Google Cloud Platform:

  1. Select APIs & Services > Credentials from the menu on the left.

  2. Click Create credentials and select Help me choose from the drop-down menu.

    Note

    If you haven’t already, be sure to enable the Google+ API before proceeding.

  3. Select Google+ API from the API drop-down list, Web server from the next drop-down, and User data for the last question.

  4. Click What credentials do I need? to create the appropriate credentials for the platform.

  5. Enter a meaningful name, such as Anaconda Enterprise, to identify the platform (and help differentiate it from any other web applications you may have configured to use Google IAM).

  6. In the Authorized JavaScript origins field, provide the FQDN of the Anaconda Enterprise server instance.

  7. Open the Anaconda Enterprise Auth Center (see instructions below), and copy and paste the value from the Redirect URI field into the Authorized redirect URIs field here.

    Note

    If the domain is not an authorized domain, you’ll see an Invalid Redirect error, and be prompted to add it to the authorized domains list before proceeding.

  8. Click Create OAuth client ID.

  9. On the OAuth consent screen tab:

    • Set the Application type to Public.

    • Set the Application name to Anaconda Enterprise (or something else meaningful to platform users).

    • Optionally, upload a logo to help users recognize Anaconda Enterprise.

    • Provide a Support email address for users to reach out for help.

    • Provide the full path to the authorized homepage where users will access Anaconda Enteprise.

    • Optionally provide authorized links to a your organization’s privacy policy and terms of service.

  10. Click Create to display the OAuth client credentials that you’ll need to copy and paste into Anaconda Enterprise, to enable the platform to authenticate with Google. (See Step 5 below.)


Configuring Google to be your identity provider#

Now that you’ve configured your GCP project to work with Anaconda Enterprise, you need to use the Anaconda Enterprise Administrative Console’s Authentication Center to configure Google as your external identity provider:

  1. Login to Anaconda Enterprise, click the Menu icon icon in the top right corner, then click the Administrative Console link in the bottom of the slideout menu.

  2. Click Manage Users and login to the Authentication Center using the Administrator credentials configured after installation.

  3. In the Configure menu on the left, select Identity Providers and select Google from the Add provider drop-down list.

  4. The Settings tab displays the Redirect URI you need to copy to the Google Cloud project’s configuration. The Redirect URI will looking similar to this: https://<full-qualified-domain-name>/auth/realms/AnacondaPlatform/broker/google/endpoint.

  5. Copy and paste the credentials from GCP (Step 9 above) into the Client ID and Client Secret fields, and click Save.

Now that you’ve completed the configuration, the Anaconda Enteprise login screen will include a Google login option.

Note

When users choose this option and log in to the platform, they’ll be automatically added as new AE users. As an Administrator, you can then configure their group assignments and role mappings. For more information, see Roles and groups.