This feature is supported in Ambassador Pro. Ambassador Pro helps developers and operators accelerate their adoption of Kubernetes.

Register here to get started with a free trial of Ambassador Pro.

Google Single Sign-On

Create an OAuth client in the Google API console

To use Google as and IdP for Single Sign-On, you will first need to create an OAuth web application in the Google API Console.

  1. Open the Credentials page in the API Console

  2. Click Create credentials > OAuth client ID.

  3. Select Web application and give it a name

  4. Under Restrictions, fill in the Authorized redirect URIs with

    http(s)://{{AMBASSADOR_URL}}/callback
  5. Click Create

  6. Record the client ID and client secret in the pop-up window. You will need these when configuring Ambassador Pro

Set up Ambassador

After creating an OAuth client in Google, configuring Ambassador to make use it for authentication is simple.

  1. Create an OAuth Filter with the credentials from above

    apiVersion: getambassador.io/v1beta2
    kind: Filter
    metadata:
      name: google
    spec:
      OAuth2:
        # Google openid-configuration endpoint can be found at https://accounts.google.com/.well-known/openid-configuration
        authorizationURL: https://accounts.google.com
        # The clientURL is the scheme and Host of your Ambassador endpoint
        clientURL: http(s)://{{AMBASSADOR_URL}}
        # Client ID from step 6 above
        clientID: CLIENT_ID
        # Secret created in step 6 above
        secret: CLIENT_SECRET
  2. Create a FilterPolicy to use the Filter created above

    apiVersion: getambassador.io/v1beta2
    kind: FilterPolicy
    metadata:
      name: azure-policy
    spec:
      rules:
          # Requires authentication on requests from any hostname
        - host: "*"
          # Tells Ambassador Pro to apply the Filter only on request to the /backend/get-quote/ endpoint from the tour application(https://www.getambassador.io/user-guide/getting-started#3-creating-your-first-service)
          path: /backend/get-quote/
          # Identifies which Filter to use for the path and hose above
          filters:
            - name: google
  3. Apply both the Filter and FilterPolicy above with kubectl

    kubectl apply -f google-filter.yaml
    kubectl apply -f google-policy.yaml

Now any requests to https://{{AMBASSADOR_URL}}/backend/get-quote/ will require authentication from Google.